# Tor Browser 7.0.2 is released

Tor Browser 7.0.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor.

We are updating Tor to version 0.3.0.9, fixing a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This release also updates HTTPS-Everywhere to 5.2.19.

Here is the full changelog since 7.0.1:

• All Platforms
• Update Tor to 0.3.0.9, fixing bug #22753
• Update HTTPS-Everywhere to 5.2.19
Tags

### Hi, death,…

Hi, death,

I think we are actually saying the same thing: being on the Internet is dangerous, but necessary for life, so life is dangerous, but instinct demands that we try to prolong life, so... huzzah tor and all those other nice things you mentioned!

Some years ago a poster requested in this blog that Debian developers introduce quantum-cryptanalysis resistant crypto, and codecrypt (confusingly, man codecrypt doesn't give a man page, but the utility is ccr and man ccr gives a man page) tries to work toward that need. However, I wish it had more extensive documentation.

Keep the good stuff coming, please, FOSS people!

Anonymous

July 07, 2017

In reply to by Anonymous (not verified)

### https://github.com/exaexa…

https://github.com/exaexa/codecrypt
it needs an audit (like most foss).
it needs practice and i have not found a site for that but pgp has several which this one :
https://www.reddit.com/r/GPGpractice/
or this one working only in pgp
https://keybase.io/tlikonen

eff is preparing a new guide :
https://www.eff.org/secure-messaging-scorecard

foss :
https://privacytoolsio.github.io/privacytools.io/
Never trust any company with your privacy, always encrypt (especially if you suspect some of them working on the bad side e.g protonmail).

### > it needs an audit (like…

> it needs an audit (like most foss).

And much better documentation (like too much FOSS).

But I don't want to sound harsh: at least some individuals out there are trying to help.

Still, it seems clear that what we need a concerted global cooperative effort to develop, code, audit, and promote post-quantum crypto. Such concerted cooperative efforts to make something everyone needs happen is best done by governments, but we have the special problem that all the world's governments now seem to hate anything which empowers citizens, such as strong crypto.

Describing the problem is easy; fixing it will not be. But fix it we must, somehow.

Very cool! I hope they at least mention Tor Messenger, maybe even urge readers to consider a donation to Tor Project.

### My guess is that the…

My guess is that the download happened right before you moved to offline mode. I just tested it with 7.0.1 and moved immediately into offline mode after start-up. The download of the update and all network requests got blocked for me.

The about-window-issue is still open, yes, see: https://trac.torproject.org/projects/tor/ticket/10952

Anonymous

July 05, 2017

### since the update i cannot…

since the update i cannot connect to any onion sites, the connection just times out, however all other sites are fine... any info or help/advice?

### In order of likelihood, my…

In order of likelihood, my guesses are:

A) The onion sites you're trying are all down. Try http://duskgytldkxiuqc6.onion/ or https://www.facebookcorewwwi.onion/

B) Your time or date or timezone on your computer are set wrong.

C) You messed with your Tor Browser configuration a bunch and you broke the proxy settings or some other piece of the config.

Let us know which one it is. :)

### I notice that Debian 9.0…

I notice that Debian 9.0 installer is more aggressive about making everyone use NTP (Network Time Protocol) than Debian 8.0. Years ago users were warned that NTP is hopeless insecure. I hope that is no longer the case!

> Your time or date or timezone on your computer are set wrong.

Quick question about that: what is the approximate time scale where clock offsets can interfere with using onion services?

Another issue with strangely set system clocks is presumably that this can assist the bad guys in deanonymizing us.

### And why i can't set time -hh…

And why i can't set time -hh:mm:ss- manually without using NTP?

Anonymous

July 05, 2017

### thanks for update !!…

thanks for update !!

i checked with http://ip-check.info/

with highest setting there are two points that the site mark bad:

- Authentication: unique ID
- Cache (E-Tags): unique ID

Is this ok so or what should I do?

thanks !!

go into About:config and turn off memory cache to disable the -Cache(E-Tags) Unique ID's

as far as the Authentication unique ID. there is no way to do so in firefox/tor. (so the only way you can safely get a new Authentication ID is to restart Tor each time you want to revisit a site you already previously visited.

### We believe those are false…

We believe those are false positives which the test can't detect right now. We contacted the ip-check developers and they are working on a fix.

Anonymous

July 05, 2017

### Cannot change listen and…

Cannot change listen and control ports using the TORRC file.

I tried switching ports to 9250 and 9251 however in Process Explorer it shows TOR listening on 9250, 9251 and the default 9150, 9151.

Also, I tried setting the SOCKS port in the browser network tab to 9250 and it crashes on startup.

### I figured out why TOR…

I figured out why TOR crashes if you change the ports, there are invalid characters in the commandline, but I don't know how they get there.

If you change TORRC to use SocksPort 9250 and ControlPort 9251, you end up with this commandline:

+__ControlPort 9251 +__SocksPort

for some reason the Tor Browser adds those two plus signs which causes Tor.exe to crash. If you copy the entire commandline to a windows batch file and remove those plus signs, Tor starts and listens on the custom ports.

### Could you get us a log file…

Could you get us a log file containing debug output so we can investigate the crash further? You could add a log entry to your torrc file like Log path\to\your\logfile\name. Or you could overwrite the tor.exe file in your bundle with the one from the expert bundle (https://archive.torproject.org/tor-package-archive/torbrowser/7.0.2/tor… for the current one). And starting Tor Browser afterwards should give you a console with tor log messages.

### Sorry for the late reply…

The crash still happens with TBB 7.0.11 and when adding the LOG option to torrc, no log is generated. Also, replacing TOR.exe with the one from the expert bundle doesn't help. The debug window closes almost immediately.

### How does your torrcfile look…

How does your torrcfile look like after you added the log option?

Anonymous

July 05, 2017

### Question for arma or another…

Question for arma or another knowledgeable Tor employee:

I used Debian 9.0 (stretch). I have installed Debian-tor to use apt-transport-tor so that I can access the repos using the onion mirrors, in hope of improving security (both anonymity and integrity) of sofware updates, as per

https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian…

The configuration file is in /etc/tor/torrc and it seems that the default configuration might not be optimal for apt-transport-tor. (I can use Tor Browser for web-browsing, which has its own tor engine and configuration.)

What is the safest configuration for users of apt-transport-tor?

### I think the default torrc…

I think the default torrc that you get with the Tor deb should be fine for use with apt-transport-tor.

(There are indeed power users out there on the Internet who make guides about all the knobs that you should turn. Every time you turn a knob you risk standing out a bit more. That's why we try to make the defaults good enough for most people.)

### Thanks much for the prompt…

Thanks much for the prompt and authoritative answer to my question!

I try to always keep in mind the tradeoff between maximing anonmyity (e.g. by using the default settings) and attempting to minimize vulnerabilties to the latest known attacks. This always involves difficult choices made on the basis of too little or too unreliable information, yet the choices must be made, so...

BTW, I accept that while Tor people know much much more than I do, anyone can be wrong, a risk which I also accept, because I know you are doing the best you can under difficult circumstances.

Anonymous

July 05, 2017

### tails fails to start tor…

tails fails to start tor after update to 3.0.1
log says:
/var/lib/tor has wrong permissions
config file can not be read

Anonymous

July 06, 2017

### I Want 64BITS Version! :(

I Want 64BITS Version! :(

Make it! ;)

Anonymous

July 06, 2017

### I'm asking for Tor E-mail…

I'm asking for Tor E-mail Client, please, make one I can recommend to freedom people.

### But no anonymous remailers…

But no anonymous remailers are involved, correct? So that you still need to obtain an email account from an ISP, presumably using your real identity at some point? (Note that ecash is typically not anonymous when your adversaries include the governments of SY, RU, US, etc.)

### Without an [desktop-based]…

Without an [desktop-based] email client (Thunderbird, Torbirdy,...) you can still use email in a safe way with https: by using the web-based email client of "quite trustable" providers like gmail (typing, sending, reading,... doing everything on the browsers, not on the desktop-based clients.

By using gmail that way (right on the browsers, not on desktop-based client), your LOCAL ISP will have no way to eavesdrop your email communication. Google themselves and NSA, however, may still be able to read your messages , so to cut through Google+NSA noise, use GPG to encrypt important information in the emails, only use plain text for unimportant information.

By using the two tactics (https emails like gmail and GPG to encrypt important information), all the third-parties (your local ISP, international ISP, NSA,...) will have ZERO chance to read your messages. Quite a bit more sophisticated, and require your partner to have to use GPG too, but using email will become "able" and safe for you.

### gmail is not at all…

gmail is not at all recommended : avoid _ tutanota could be a better option e.g.

Anonymous

July 06, 2017

### Hello!…

Hello!
How to make Tor traffic look like multiple file downloads over HTTP/XHR (not HTTPS)?
Will it ever be implemented?

Anonymous

July 06, 2017

### Hi!! Can a dev pls hlp me…

Hi!! Can a dev pls hlp me out? how u use bitcoin core with tor??? before you had vidalia... now u only have tor browser... how can u use just tor without open tor browser... so you can activate tor and bitcoin core to run over tor... u have to open ur tor browser at same time?

### I wanna know this too!

I wanna know this too!

Anonymous

July 06, 2017

### https://www.eff.org…

Be Prepared: Summer Security Camp
Aaron Jue
20 Jun 2017

> EFF has just launched the Summer Security Camp, a two-week membership drive that challenges people everywhere to gather ‘round the online rights movement and prepare for the privacy and free speech challenges in their paths.

Anonymous

July 06, 2017

Fuck this download!!! its fucking everything up for me. I can't log on to a certain site and never had a problem until this shitty update!!!! I HATE THIS SHIT, I'M LOSING STUPID MULAH!!!!!

Anonymous

July 06, 2017

### How can I use Roboform?

How can I use Roboform?

Anonymous

July 06, 2017

### Thank you for your work…

Thank you for your work. Russia needs TOR very much under Putin

Anyone has more information regarding Bogatov, like a potential release or so?? Any update?

### I also would welcome an…

I also would welcome an update.

Anonymous

July 07, 2017

YouTube is still not displaying properly (flashing when content overlaps).

Anonymous

July 07, 2017

### While update....there is…

While update....there is DETECTED:EE:Malwr.Heru.Graftor.369260
Why??????????????????????????????

Anonymous

July 07, 2017

### thank you for this apple

thank you for this apple

Anonymous

July 08, 2017

### As so many questions in this…

As so many questions in this blog from understandably confused newbies constantly demonstrate, even experienced Tor Browser users often don't know things they need to know in order to use Tor (or their indeed their PC/laptop) in less dangerous ways, given the threat environment facing Debian+Tor users.

I appeal again to the Debian Project/Tor Project team which (thank you!!) authored the "Tor at the Heart" post popularizing the onion service mirrors for Debian to do more to help Debian users avoid making potentially harmful errors.

Example: can you publish an updated version of the original post

https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian…

(and thanks for posting that!), taking account of the fact that the new Debian stable is stretch, and also of the fact that at some point contrib and non-free were quietly added to the onion mirrors (and thanks for doing that, it was badly needed!), please?

Example: can you publish a tutorial on how to use nftables (the replacement for iptables in Debian stretch)

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

to set up a personal firewall on our PC/laptop which

o plays nice with DHCP (for talking to a SOHO wired router),

o same for other common SOHO or internet cafe usage scenarios,

o doesn't inadvertently block other necessary and legitimate actions,

o plays nice with Debian-tor (for using apt-transport-tor),

o plays nice with Tor Browser (installed from the latest Tor Browser Bundle, so with its own stand-along Tor client),

If you don't publish timely HOWTOs, your users will go the internet for advice, where they will find all manner of

o misinformation ("a fresh Debian install is firewalled by default"),

o dangerously inappropriate/outdated information (my search engine "helpfully" pointed at ten year old HOWTOs on using ipchains to set up a firewall for a LAN).

The likely result: not just suboptimal solutions to security problems, but dangerous "solutions" which solve nothing but create even more vulnerabilities for ordinary Tor users.

https://lists.debian.org/debian-user/2017/07/maillist.html
https://wiki.debian.org/nftables
you could also contact a lug.
https://www.lifewire.com/soho-routers-and-networks-explained-3971344 (updated july 06 2017)
https://www.examcollection.com/certification-training/a-plus-how-to-sec…
# Debian users do not make 'potentially harmful errors' and do not follow dangerously inappropriate/outdated information.
take a look here for a better help :
https://sparkylinux.org/
or choose another distrib ,)
#time , patience & be involved needed
Thanks.

Anonymous

July 08, 2017

### Your browser does not seem…

Your browser does not seem to support HTML5 WebAudio

Anonymous

July 09, 2017

### I've noticed recently that…

I've noticed recently that my entry relays for all my connections were from the same nation, only one that nation.

I read about https://www.torproject.org/docs/faq.html.en#EntryGuards, but I think it would be troublesome if my entry guards were from only one country all the time. This didn't happen before (my entry relays had been from various nations). Are there some things wrong with that??

(I use obsf4 bridges, and I have just changed to use a very few bridges I saved before to change the nation of my entry relays).

### I used to create gmail…

I used to create gmail accounts on Tor Browser. One thing I noticed is that they (Google) match our GeoIP nation with our phone number country code: when these don't match, they won't allow us to create an account.

I can't recall how I overcome this, but it's possible. However, they (Google) seemed to figure out where I'm really from (which country/nation) when they finally allowed me to create the accounts (can't recall this exactly; that was quite some time ago)!

Anonymous

July 12, 2017