Tor Browser 6.0.8 released

by gk | December 13, 2016

Tor Browser 6.0.8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Besides updating Firefox to 45.6.0esr which is fixing important security bugs we ship the latest Tor stable version, 0.2.8.11. HTTPS-Everywhere is updated as well (to 5.2.8) and we make improvements to our default obfs4 bridges.

Here is the full changelog since 6.0.7:

  • All Platforms
    • Update Firefox to 45.6.0esr
    • Update Tor to 0.2.8.11
    • Update Torbutton to 1.9.5.13
    • Update HTTPS-Everywhere to 5.2.8
    • Bug 20809: Use non-/html search engine URL for DuckDuckGo search plugins
    • Bug 20837: Activate iat-mode for certain obfs4 bridges
    • Bug 20838: Uncomment NX01 default obfs4 bridge
    • Bug 20840: Rotate ports a third time for default obfs4 bridges

Comments

Please note that the comment area below has been archived.

December 13, 2016

Permalink

I'm still waiting for that "Resize Tor Browser to default size" feature, anyway great work guys!

Adding to that, if I mistakenly double-click on a youtube video... poof! I go to fullscreen mode.
I suppose this reveals my screen resolution?
If so, it would be nice to block the feature.

Interesting. Can it be done in a way that it can be communicated back to the server? Do you have a link to a proof of concept or more information?

Thanks for the links! I wasn't aware of the @media (anti-)feature. It sounds like CSS is well on its way to becoming just as dangerous (at least in terms of fingerprinting) as JavaScript. Thanks also to the poster of the later reply for the ip-check.info link!

I hope the developers can work out a solution, assuming there is one. Does the X11 or Wayland API support any way of permanently locking a normal window's size? Is there any way for this to work properly under a non-floating window manager, e.g. tiling? Is the resolution affected by themes/skins (at the GTK+ level, I guess) that could alter the size of the UI components, or are we just talking about the size of the rendering pane itself (excluding the title/status/tab/address/search bars)? What if the default window size is too large to fit on the screen?

Furthermore, how many other attack vectors like this are out there? Would it be safer in the long run to disable @media and fall back to the simple old-fashioned rules (at least for a given notch on the security slider)?

>ip-check.info

Unencrypted http= no way to authenticate via SSL/TLS cert= putting users at risk (tampering by malicious exit nodes, compromised host server of site, etc.)

Doesn't this make "ip-check.info" suspicious?

Forcing constant updates on users is a tyranny of the majority. TOR needs to allow for an opt out of updates. A constant harassing flashing triangle is abuse. Offer an unobtrusive way of opting out of updates.

Alas, this won't happen anytime soon. Stop wanting to use a web browser, and then we'll be able to talk. Until then, you need your browser updates, and it's irresponsible of us to let you be on the Internet without them.

I also liked notification saying that resizing window size might deanonymize user with option to Restore back to Default Size. I think that is valuable information to inexperienced users.

I am not sure if that notification only shows once, or did I somehow close it in a way it doesn't pop back on, and I cant find where in options I could turn it back on.

I miss Restore back to original resolution button, without need to restart browser, since restarting browser closes tor service too and kills other connections via tor network in some cases.

Maybe include that button in Tor button or Menu, or make notification persistent, or at least reset "do not show anymore" for each new browser session.

December 13, 2016

Permalink

RaspBerry PI configured to be a Tor router is much better than Tor Browser.

This make you immune from Firefox exploit, you can use Chrome and Adobe flash player, run malware under Tor in VM too.

InvizBox.com is this, is cheap only $50.

No, this is likely terrible advice -- first because Flash will screw you, and second because routing all your traffic into Tor can mess up your privacy.

For more details, you should read
https://lists.torproject.org/pipermail/tor-relays/2014-October/005541.h…
and then
https://lists.torproject.org/pipermail/tor-relays/2014-October/005544.h…

The right thing to do if you have a separate box for routing your traffic is to set it up to *drop* all traffic that isn't going through Tor properly, and then only correctly configured applications can reach the network at all.

The "here's a magic anonymity box, now you don't have to change any of your behavior and you're magically safe!" model is super dangerous. Be careful out there!

December 14, 2016

In reply to arma

Permalink

For a scenario where everything on the machine needs to stay anonymous.. you would say what I wrote is not better than Tor Browser?

Also.. this setup makes so even Flash uses Tor.. connection to internet without Tor is impossible.

UDP traffic simply dont work on my laptop.

If you send personally identifiable information out to the internet, just using Tor won't help you in the slightest.
Tor Browser isn't simply "a browser that uses Tor". It was designed in such a way to limit the amount of fingerprintable information that can be used to identify you (or, more specifically: your browser and system).
If you send out an information saying "My name is X" it doesn't matter what channel it travels through. What matters is it reveals who you are to anyone on the other side of that channel.
This is Tor 101.

Also it has different circuits for each website, which is impossible (anyone to confirm?) to achieve using that Anonabox.

This is wrong. The circuit isolation is triggered by the browser using a different socks username/password for different circuits. This works with a Tor running on a different box.

> For a scenario where everything on the machine needs to stay anonymous.. you would say what I wrote is not better than Tor Browser?

If you want all of your machine to stay anonymous then use: Tails (live system), Qubes OS with Whonix, or Subgraph OS.

December 14, 2016

In reply to arma

Permalink

Many thanks arma, for this informed answer.
Plus RPi is far from being free hardware.

Raspberry pi is not free but a better solution than forced to buy an expensive computer you cannot afford, just because some people dropped 32 bit support for a browser.
So a working anonymous browsing system on a raspberry pi or lookalike would be a good alternative solution for people that do not live in the great and rich western world.

I use faster Penryn (second generation laptop C2D) with 4gb pc2-6400. i have a heavy firewall running. Craigslist price is about $60 in large urban area. Less if beat up with weak battery.
T400 for less than $80.

XFCE Linux might run TBB faster.
TBB might run OK on faster Merom (first generation laptop C2D) with 3gb. (Latitude D830 or D630 with weak battery, $40 in large urban location)
Thinkpad T61 probably costs a little more.

An early Windows 7 AMD is probably as good.

If you want large display, then buy Conroe C2D such as Optiplex

TBB needs more power than regular Firefox, which runs OK on weak Yonah.

December 16, 2016

In reply to arma

Permalink

There are still some interesting use cases, if I want to route all my TV through Tor, or all of my iPhone through Tor, that's the way to go.

Can't speak for anyone else, but I really don't recommend routing HD video or other high bandwidth traffic over Tor without at least some indication that it is anonymous at all. Relays already generously provide bandwidth for those in need, and in the past have had trouble keeping up with demand. And hogging all that bandwidth for TV is pointless if it is, e.g. sending its serial number, MAC address to the server anyway. But if you do, please consider running a relay to give back some of the bandwidth.

SERIOUS PROBLEM WITH TAILS DONATE PAGE- I hope someone will forward to Tails devs:

In latest Tails 2.9.1
From page at
https://tails.boum.org/donate/index.en.html
clicking-on "donate" button, goes to:
https://www.paypal.com/cgi-bin/webscr
with message:
>Access Denied
>You don't have permission to access "http://www.paypal.com/cgi-bin/webscr" on this server.

Here your approach is to use hardware isolation and always force the traffic to go trough Tor. While it seems a good approach at first, the devil is in the details.

Since the Firefox exploits work on Firefox and not on the tor daemon that is in your SBC(RaspBerry PI) an exploit would compromise your laptop.

Once the laptop is compromised, the traffic still goes trough Tor but:
- Since the attacker controls your laptop, the attacker can identify uniquely, at the exit node the traffic. At this point the attacker still doesn't know where you are located.
- An attacker can monitor all your traffic and access all your files, and with that knowledge try to find your name and position.
- To compute your position, the attacker can use all the laptop's hardware (WiFi, Bluetooth, etc), all the serial numbers (MAC Address, BIOS or UEFI DMI information, various serial number)
- An attacker can use the camera and microphone(s) to gather information on the environment of the laptop.
- An attacker can install persistent malware at the BIOS level or even with higher privileges than that.
- An attacker can try to compromise all the devices you connect to the computer.
- An attacker can try to compromise all accounts you connect to from the computer.

Using physical separation effectively probably requires you do fabricate your own hardware, to avoid all the serial number issues.
Even with that they might not be avoidable entirely:
- CPU might have serial numbers or at least have a way to identify the revision.
- Almost all storage devices uses serial number.

Then if you are the only one using that hardware, you have an issue since you will be deanonymized easily.
You then need to mass produce such hardware, and ensure that it doesn't get compromised at fabrication or shipping.

If some common hardware meet the requirements, and maybe some SBC do(to replace your laptop, not the tor-router ), it would probably work.

The first thing to do, in order to work in this direction, would probably be to:
- Draft precise requirements/specifications
- Review existing hardware, to see if they can meet the specifications.

Actually, it doesn't make you immune to the Firefox exploit, it would just prevent the payload from getting your real IP. Your computer's serial number, MAC address, hostname, etc. would still be sent to home base over Tor.

Except invizibox is a terribly designed "Tor router" which is effectively a scam. It has too many problems to name, both in implementation, and fundamental design. If you actually need a Tor router, you should patch OpenWRT as The Grugq's PORTAL. Or better yet, don't use something crappy like that at all, and use Whonix with a hardware gateway (rather than a VM gateway).

December 13, 2016

Permalink

Thanks for all the great work!

Just a small feature suggestion: make the Torbutton icon display the current security level in some way (e.g. through different coloring or emblems). That way the user is immediately aware of their current security setting before visiting some webpage. I think this would also encourage users to set the security level higher more often.

December 14, 2016

In reply to gk

Permalink

Security Level - Colour
High-Green
Medium high -Yellow
Medium low- Orange?
Low-RED

I think complete recoloring, particularity the red icon, would confuse users too much, it would make them think that something is wrong. And the green onion icon is pretty... iconic.

I have in mind something like this:

  • Low: the green onion as it is now
  • Medium-low: add bronze outline around the green onion
  • Medium-high: silver outline
  • High: gold outline

December 14, 2016

In reply to gk

Permalink

What about "Stealth Mode"? Hide torbutton and restore default Firefox icon to make TBB visually indistinguishable from Firefox?

December 13, 2016

Permalink

Dear Ladys and Sirs,
I try to install 'onion sites' and 'hidden net' but I'm sorry, I'm not able to do this. Please can you help me with instructions in German language or even can you install this for me?

I'm curious of your reply and say many thanks!

Kind regards
Jörg Hager
(joerg-hager@t-online.de)

December 13, 2016

Permalink

Greetings,

Have you had any other reports of upgrade difficulties with this release?

I cannot manage to upgrade from 6.0.7 to 6.0.8 on Win XP (Yes, I know!)

What happens is... After I download the 4.8 MB update and restart the browser, it loads the old version and gives a pop-up saying:

"Software Update Failed - The update could not be installed. Please make sure there are no other copies of Firefox running on your computer, and then restart Firefox to try again."

Tor Browser then works normally but it's the old version, 6.0.7.

There is no other Firefox process running in Windows Task Manager.

When I check for updates again, it downloads the same 4.8 MB package and the process starts over.

My antivirus is turned off and I've rebooted the computer several times.

I've been using Tor for years and have not had any other problems updating the Tor Browser in recent memory.

Thanks for your help.

December 14, 2016

In reply to gk

Permalink

Thanks for checking and replying!

I eventually solved the installation problem on my XP by moving the Tor Browser security slider from High to Low.

(I keep the TB in High mode most of the time.)

After I lowered the security setting, the update package changed from 4.8 MB to 60.8 MB and it installed perfectly.

Maybe only XPs are prone to this glitch?

Thanks again for your help and for developing the fantastic Tor Browser, an incredible and indispensable program.

Make sure you have plenty of free disk space (>400MB according to some sources). This has been a very common problem lately, because TB doesn't warn the user. It's worth a try.

December 13, 2016

Permalink

-----BEGIN PGP MESSAGE-----

qANQR1DBwUwDlDc6qUt8MiMBEACeEeDiEoEniVs0DgrNhmkx7cg9dfsma2Bj3VLO
Vl4zyA6/ZRoqQpIl+sGjlaeGlfSXpGKn4+Vk0a0mPgG9NZBUZExQw7+OYZ1hvA0b
EpGvacL6gIgO03E6VEZee7BarWbspIdceHa+wXgZluBMeb2Hzx8kLh91A5K4ulNM
aQyORByusIfBu75u7rCYZfOYJv/j20rt1XLTpElTBWC40DoZfMnBmpU9Rh+uIaik
jplKbORXK36bYioRBU60PElTMVTgyfKxnF95TarpwBQH7v3cW+2ibqJ8TZwqJRnn
ZA1i558zcdHt5mEadD4++nhYkByPeL97Xf4cCqCy43DT0iSNsAV8bD4C2tNNtDdJ
mnmWFcyLJnBiNzZdaYDe71YVtoYbef6Ocu5RQKORKFQOdDk/zHmZs1u0cxnwLxU/
armGu5Wq4wtRKeg6h9BjsmpnZWRnGTkAyT7GChyYRI4lVImV/3JJBY6JetRk1wiN
DIIHzW99fDw2DAsZH9ZELwFUw/WH5aV1ERFEkzadVUS/GrxWO6UkCRkmbYgJrfNF
pwUnx3BaIh5R4hm0aijRShoQpsq4bDubR25IgPNn0GbQnNIGa30Br5f+v0EYv3QE
mHIeADCBrPc6x+7KgAW6jueCDZMVNY2N+112fm/w8dGWoZYBmvsfVszLEtmJ6QkD
GSr049LAmgGTmFCevDlE7gd+IpFvxe8vCOfcB0byUTmE44ZVFH5KnxlnhB209MWA
caVzYERx4F6Yg/9G3FXVmmz3QlvSrV+Xda+V70hVPEtpBMuOUN3m79637T6ip+ws
GGas09WciigB0A2R4Qd6yLkdipJG19pEm8jlxRJjEGgKSjFtCGUsnFPSqYemVheo
6rp/guURy/apoCu4nhMfUNWE73h0vOvypJxhvF+oFqA2Y8lrnW2ohcjOsuB9rj2A
uuquk5Wil02ek8zv2VGuQiaObS39esW2XinZo2TKEDAupx1fHBhRER5IEKoG1sDV
t+oKs6Iu8akvZs7tlUThIX1lt5nRZ9Ci6JQRCU5FXuskJ6YNYqfCTJfrjCVGbQdJ
WOe+rF3YjYtRAP/cqMtVJ3ZnItyDDdadC1XkDF1E7as+BJ1a6+s+l7FPsJHHLH10
pIN7faegFQyNQNmcLzcGMM4=
=d8gC
-----END PGP MESSAGE-----

December 13, 2016

Permalink

hi

December 13, 2016

Permalink

Can I get any more information about CVE-2016-9899 and CVE-2016-9893 (fixed in this release)? The bug pages on bugs.mozilla.org say I am not authorized to view the details, and the mfsa description is very vague. I'm curious what exploit vectors they use. I imagine the former can be blocked by noscript, because it says it involves a UAF for audio, which can be blocked, but the latter is just a collection of general memory-related bugs, which may or may not be related to javascript.

December 13, 2016

Permalink

When I keep Tor button to High the update size is about 5 MB but when it is kept medium-high or low it first downloads 5 MB then installs and next it downloads 85.8 MB .

December 14, 2016

In reply to gk

Permalink

I am currently downloading 6.0.7 let me verify the download and test it.

December 14, 2016

In reply to gk

Permalink

After trying it the third time evreything went okay. Sorry, maybe it was a problem with my network.

December 14, 2016

In reply to gk

Permalink

Meanwhile, is the case that Updater downloads update ~10 times before exposing it to user on Windows "works fine" for you?

I did not say this. But there is not much we can do if the download got corrupted or tampered with. When I say "works fine for me" I mean I tested it on different machines with different locales and different operating systems and the update got downloaded once and applied cleanly.

December 14, 2016

In reply to gk

Permalink

It's a minor issue, but it happens always on different OSes with all recent versions, so it's strange that you say "got downloaded ONCE".

Well, that's what I experiencing both while quickly testing after enabling the updates and during updating my own Tor Browser instances. With one exception: On OS X stable if you started with a newer Tor Browser on OS X, one that supports code-signing, and are updating you are currently downloading the incremental one first and need to download the full update afterwards. We realized this bug after we shipped the code-signed bundles and it took us quite some time to get the fix right. See: https://trac.torproject.org/projects/tor/ticket/19410 for the details.

This is fixed in the alpha series and should work with Tor Browser 6.5 which is supposed to be the next stable release.

I experience this same issue since 6.0.5. If I download from TBB's about box:
FIrst downloads 5 MB. then it downloads 8x.x MB and fails to install it.
IF I download from Torbutton, fail again with message: Can't install update (fail applying patch).

I then download clean, unpack and use. Next update, same problem. Ubuntu 64, es lang, highest security settings.

Hard to say what goes wrong in your case. Could you share some log output? One thing that would probably be helpful is looking at the log you get after setting "app.update.log" on about:config in your Tor Browser to "true" before doing the update. The console (Ctrl + Shift + J) should get the output which might already help. Then there should be a UpdateInfo folder in your tor-browser_es-ES/Browser/TorBrowser after you tried to update. There updates/last.update.log should be interesting as well.

December 14, 2016

Permalink

we live in Iran .Iran does not support international cards because of sanctions imposed by America,Is there another way we can Donate tor ?

December 14, 2016

Permalink

It is SAFE to add some dictionary from others localized versions of Tor Browser?

December 14, 2016

Permalink

I have two tor-browser_en-US folder
one in /documents/ (first)
other in /desktop/ (second)
I wanted to put first one to high security level and the second to medium-high
After I put the first to high then turn second to medium-high and return to the first it would be at medium high.
Then I put first back to high and then go to second the second goes to high(I had put it at Medium-high)
Debian 8.6 64-bit tor browser 6.0.8

I had upgraded tor browser at /documents/ from 6.0.7 to 6.0.8
After putting the tor browser(the one at /documents/) at high I copied the folder to /desktop/(second). then opened second and changed it to medium-high this somehow made the first ( the one at /documents/) to medium high

December 14, 2016

Permalink

I get Tbb tunnel through a local proxy software which is NSA friendly, and Tbb cannot choose any kind of bridges for the connection to the network, so does it mean is it NSA be able or easier to crack Tor without bridges?

December 14, 2016

Permalink

Tor doesn't work anymore:
"Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start."

I would try this:
Copy your places.sqlite (bookmarks) from directory/folder of TBB that doesn't work.

Extract and run the full current TBB.
Shutdown.
Replace the new TBB's places.sqlite with your old places.sqlite

December 15, 2016

In reply to gk

Permalink

OS X 10.11.6 El capitan
How to extract bookmark if I can not enter TB.
Where is places.sqlite file
May be erase bookmark and start from a brand new browser?
(thank you for your help guys)

Is it the first time you are using Tor Browser or the first time you have this trouble? I guess you have installed Tor Browser into /Applications. What happens if you take a fresh new Tor Browser and install it to your Desktop instead. Does that work?

December 16, 2016

In reply to gk

Permalink

Never had problem to use it
First time I have trouble. Yes I install it in applications folder. I tried on desktop but the same problem happened. I broke it

December 16, 2016

In reply to gk

Permalink

On desktop the message is different:
Tor unexpectedly exited. This might be due to a bug in Tor itself, another program on your system, or faulty hardware. etc

I also get this, on XP

The 2.8.x executables are messed up, it's been this way for several releases.

And cookies are STILL broken in tor Browser (only been what like 3 years now and no fix from Tor Project)

It seems this is a different issue as you are on Windows and the behavior the user reported started recently on OS X? That said please file a bug for your problem at https://bugs.torproject.org so we can investigate it? We would need additional information in order to reproduce it (if you are customizing your Tor Browser etc.).

December 15, 2016

Permalink

I´m having lots of troubles running Tor on Kali Linux 2.0.

I only can run it from a terminal window and changing my clock to UTC, it rarely opens as a browser itself. I´ve tried with bridges, but connection proccess seems to last forever: it stays the whole night without changes.

Your help will be welcome. Thank you.

December 15, 2016

Permalink

I like more this apps since i have started to use it.
thankfully for your work guys. much love to you

Your task manager is correct. For Windows we only have 32bit builds yet mainly as Mozilla introduced 64bit Firefox builds for Windows not that long ago and we wanted to see that platform stabilized first before supporting it as well. That said we plan to work on a 64bit Tor Browser for Windows next year, after we switched to the new long-term support version, ESR52.

But Sebastian was correct as well. He was talking about tor the network program that Tor Browser ships.

December 16, 2016

In reply to gk

Permalink

ESR 52

https://wiki.mozilla.org/RapidRelease/Calendar
That is 2017-06-12 for ESR Firefox 52.2 .

Are you dropping support for Mac again then?
For Mac OS X 10.6, 10.7 and 10.8 ?

Only supporting Mac 64bit systems on OS X 10.12, 10.11, 10.10?

December 17, 2016

In reply to gk

Permalink

"He was talking about tor the network program that Tor Browser ships."

tor.exe on windows is 32-bit, too.?

December 16, 2016

Permalink

Every Tor Binary since Tor Browser 5.0.7 release has caused the following error on XP:

"Tor exited during startup. This might be due to an error in your torrc file, a bug in Tor or another program on your system, or faulty hardware. Until you fix the underlying problem and restart Tor, Tor Browser will not start."

December 16, 2016

Permalink

Two bugs

1 bug inherited from firefox that is more than highly annoying.
When printing and saving Torbrowser is not remembering the printing settings anymore which means every time adjusting 4,5,6,7, settings while the older ESRs (38) were remembering these settings.
Highly annoying if you have to print articles a lot and do the setting thing over and over and over again.

It also does not make sense for example that in the 'page header' section first the title is chosen and 3rd the page url.
In this order you will almost never get the full url on your print and then it is wasted information anyway.
It makes more sense tot reverse these two (or delete the page title) and start with the full url only.

For the page footer and I already remarked that on this site a long while ago, printing data and time is not always helpful because you cannot visually remove this while you can remove the creation dates in you want to.
Keep it blank as a standard setting gives more privacy.

2, other bug, when javascript is turned off the redirection of the ddgo search engine is not redirecting to the non-javascript search engine page.

Thanks

December 19, 2016

In reply to gk

Permalink

For 1 & 2, test it on a Mac OS X system. and compare it with any 5 version of Torbrowser.

December 20, 2016

In reply to gk

Permalink

I also just tested the setting and picked up also a very good working 10.6.8 system and the redirect is not working at all.

It is stuck wit this message
"You are being redirected to the non-JavaScript site.
Click here if it doesn't happen automatically."

So, No, it does not redirect to duckduckgo to the javascriptfree site automatically.

I think it is NoScript again.
I do not use the security slider but manual security settings in NoScript.

With these higher security settings Torbrowser is also still (for several browser versions now (6, 5, 4?) completely crashing (!) when trying to print as pdf web content on some websites as mentioned before (long ago).

When I have time, I'll consider finally to look for the procedure making a (or a list of) bug report(s) on Torproject, but will not also go for the 'account' hassle on mosilla over there for reporting other browser things.
I do not believe they will pickup Mac bug things anyway because they are on this (in my opinion negative) ignoring old userbase track of making support for mac's smaller and smaller and smaller as a practical solution for their problems with making a stable browser for the Mac OS X platform (which they did not really succeed from Australis versions from around 28 or so for 32 bit systems and also even 64 bit mac systems).

Torbrowser 5 works relatively fine on older Mac systems (better than FF38 itself) and also some 4 versions do well by the way.
For Torbrowser version 6 I highly dislike that the browser profile is stored in the local library instead of within Torbrowser.app itself, this solution is against mobile and clean usage, leaving traces everywhere.
I like the 5 version still more because of less bugs.

But, it has to be said,
thanks for the good work on this browser anyway.

December 16, 2016

Permalink

The browser that says "-Nan:Nan"

This error is showing up on youtube.
Probably because you disabled this setting in about:config?
svg.in-content.enabled;false

Now I was already wondering why I could not open that nice Tor image from the about:tor page in a new window in Torbrowser.
"onion-heart.svg"
It's an svg and thats disabled.

Therefor I knew that playing youtube content would be a problem because the play-button-bar has something to do with svg.
Enabling "svg.in-content.enabled" is fixing the playing choices and does let disapperar the magic "-Nan:Nan" (any rabbits around?) language.

Didn't mozilla solve the svg issue?

O, and please consider to change the Torbrowser icon in that lovely nice hearted onion! It's far more beautiful and positive looking then that (not so nice) green world icon.

December 17, 2016

Permalink

Problem: Mac OSx running Yosemite

-When a find is initiated in Torbrowser it is copied to Firefox 50.02 demonstrating some sort of link between the 2 applications.

-Meek Asure transport type does not work.

Yes that is a strange problem already mentioned here long time ago.
It is a General Mac OS X problem with mozilla browsers.

See why-where this is happening
Make a search attempt in one of your mozilla browsers, with 'cmd' 'f' .
Open your TextEdit program from the applications folder.
Open find-replace function (with 'cmd' 'f') in TextEdit and you will see exactly the word you used in your mozilla browser is filled in in the "Find:" space.

As long as the word is over there it will be shown in the search field of mozilla browsers. Even if you close the browsers and open them again it will be there!

The only user solution is to remove that particular word or phrase from the "Find:" space in TextEdit program or don't use the 'find' function in your browser at all if that is a privacy concern to you.
No workaround, unlles Torbrowser (or mozilla) devs are fixing this and break the relationship of the find function in Torbrowser and Mac OS X.

We will see, or not.

Re your first issue: Yes, this is a bug and in our bug tracker I believe (I can't seem to find the ticket right now, though :/ ).
Re your second issue: Albeit slow it works for me. I just tested it on a Linux machine. Do you get errors you could paste somewhere?

December 17, 2016

Permalink

Privacy security concern ?

Why is local file browsing in Torbrowser enabled?
One can browse local files via Torbrowser with these url's

file://
file:///

Would it be possible (thinking from an attackers point of view) that this would be embedded as a (hidden) file path on a website and stealing one way or another that local file directory displayed information?
Like, or even an url file:///followed by a standard path to a local documents directory/

Is it possible to steal local directory information (with the help of standard enabled javascripts) from some sort of cache-history directory in a current session?
I really hope not.

Now, I do not think people use this function on a regular basis or even a lot, probably almost never.
Can you consider, will you do, or tell us how to disable this function to prevent privacy and security related issues and accidents?

Thank you in advance for looking at this possible privacy security concern

Content is not supposed to have access to file:/// URLs. (Although there have been path traversal bugs in the past in Firefox) Being able to view local files (e.g.PDFs in the Tor Browser PDF viewer) is a neat feature to have actually.

December 19, 2016

In reply to gk

Permalink

Thanks.
In-browser pdf viewing is still standard enabled by the way. From a security point of view I should think, just download pdf files, use a local pdf viewer application and make sure that pdf viewer has no access to internet and or disable embedded pdf javascripts. But maybe in-browser viewing has a better security management perspective from Torproject point of view.

December 19, 2016

Permalink

Is Google search in Tor Browser completely broken for anyone else now, or just me?

For the last few days, if the Privacy and Security slider is set to any level other than High, any Google searches I attempt in Tor Browser seem to trigger the Robots test by default, resulting in a series of "Select all images with X" and/or "Select all squares with X" type reCaptcha puzzles that must be solved first, instead of the usual "To continue, please type the characters below:" reCaptcha prompt. And if I manage to pass this significantly more laborious reCaptcha test and get the tick in the box signifying that "I'm not a robot", clicking the "Submit" button just redirects me to a Google error page with a picture of a robot, broken and in pieces, with the following text:

"400. That’s an error.

Your client has issued a malformed or illegal request. That’s all we know."

If the Privacy and Security slider is set to High, any Google searches I attempt in Tor Browser also seem to trigger the Robots test by default now, causing the "To continue, please type the characters below:" reCaptcha prompt to appear. And if the correct "characters" are submitted, I get a brief wait a moment while we redirect you notification, then get taken to my Google search results, then immediately after the tab with my Google search results has finished "Connecting" and loaded completely, I get dumped on a Google error page with the same picture of a robot, broken and in pieces, with the following text:

"403. That’s an error.

Your client does not have permission to get URL /sorry..."

Getting these problems too, using google in Tor is becoming harder and harder - they make you jump through hoops ticking images only to tell yo at the end that "Your client has issued a malformed or illegal request. That’s all we know." That's all they know!!!!

December 20, 2016

Permalink

Not exactly anonymous that Torbrowser?

I always wondered why I was exactly landing on the mac part of the Tor download page when I clicked on a Torbrowserlink for updating Torbrowser.
I forgot it some time ago.
But now it happened again when I was checking an insecurity warning near de lock in the url bar.
I clicked on the lock, clicked on the right arrow and the clicked at the 'Learn more' link.
Then I was redirected to a Mozilla page in two steps.
This was the final landing page
https://support.mozilla.org/en-US/kb/mixed-content-blocking-firefox?red…

But for a very short moment I first saw another page in the url bar, that was this one
https://support.mozilla.org/1/firefox/45.6.0/Darwin/en-US/mixed-content
A surprising accurate link.

Apparently all the measures of changing the useragent string and some more values in about:config does not make my Torbrowser anonymous.
This link is telling the accurate version of my Torbrowser and the system I was on, Darwin is referring to the Mac OS X version of Torbrowser and is far from what the useragent string is telling
general.useragent.override;Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0

Now my question is,
apparently there is code in Torbrowser active that can tell someone else the right information about the exact kind of Torbrowser version I am on.
Information that my Torbrowser is trying to hide.

If Torproject can read this information and Mozilla can, who else can detect this browser information?
No-one? Any-one? Only Smart 'web developers'?
And if they can, is changing the useragent string a half privacy solution then?

I am very curious for the privacy answer
Thank you in advance

The browser itself knows these things. Have a look at the value for "app.support.baseURL" in your about:config. There you'll find placeholders like %OS% which are filled in by your browser just before the request goes out. That does not mean that web content has the same capabilities. In fact, that would be a severe bug if that were the case.

December 20, 2016

Permalink

feature or bug?

in the past (dont know when exactly) when you change the security slider the website automatically load with the new settings. now you have to click reload. ty

December 21, 2016

Permalink

:D

December 21, 2016

Permalink

can you answer me why this browser is too slowly!!? and i cant search anything nothing in the page is just blank page what the fuck???

December 22, 2016

Permalink

Do wish you all could find a way to spoof the window size, not a lot of real estate on a netbook. Great work though really.

December 22, 2016

Permalink

SUPER

December 23, 2016

Permalink

Nice

December 26, 2016

Permalink

Hi, i've been having this problem since the day i installed tor browser, all the other browser stop responding or the just crash..and my cam light blinks..help...

December 28, 2016

Permalink

Why not remove Disconnect from the Torbrowser search bar in the top right? It only defaults to Duckduckgo

December 31, 2016

Permalink

I am using the DuckDuck go thing. However I am using Torbrowser with its circuit. And if I try to go on a onion site, It says I cant get in the site.

December 31, 2016

Permalink

Has the circuit info panel recently been removed? I'm using a system wide installation of Tor if that makes any difference, but a few days ago I also couldn't see it with the bundled Tor version. In both cases extensions.torbutton.display_circuit was set to true.

January 01, 2017

Permalink

TBB didn't work for me in the last days. no traffic a few moments
after start. i turned off OCSP cert vilidation.
now it works again.

January 23, 2017

Permalink

22-01-2017, 20:04:18.000 [WARN] Proxy Client: unable to connect to 83.212.101.3:443 ("general SOCKS server failure")
This port is not responding again.

January 24, 2017

Permalink

This doesn't seem to work on Windows 10 - I get a firefox.exe Application Error stating the application was unable to start correctly.

Stock and after-market AVs are disabled.