Tor Browser 7.5.4 is released

Tor Browser 7.5.4 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to 52.8.0esr, HTTPS Everywhere to 2018.4.11, and NoScript to 5.1.8.5. In addition, we exempt .onion domains from mixed content warnings, fixed a fingerprinting issue and an issue with localized content.

The full changelog since Tor Browser 7.5.3 is:

  • All platforms
    • Update Firefox to 52.8.0esr
    • Update HTTPS Everywhere to 2018.4.11
    • Update NoScript to 5.1.8.5
    • Bug 23439: Exempt .onion domains from mixed content warnings
    • Bug 22614: Make e10s/non-e10s Tor Browsers indistinguishable
    • Bug 22659: Changes to `intl.accept.languages` get overwritten after restart
    • Bug 25973: Backport off-by-one fix (bug 1352073)
    • Bug 25020: Add a tbb_version.json file
Anonymous

May 10, 2018

Permalink

  • Bug 23439: Exempt .onion domains from mixed content warnings

Many comments on that bug and tickets they link to debate how to treat HTTPS clearnet the same as HTTP onion services, but I don't see a perspective of the consequences from the insecure end. Meaning:

Now that HTTP onion services are treated as secure and now that HTTP onions are exempt from mixed content warnings, then is HTTP onion service traffic recognized and warned as different from HTTP to clearnet? If an HTTP .onion webpage loads content from an HTTP clearnet domain, does Tor Browser still warn about mixed content? Or since they are both HTTP, does the warning not appear?

Anonymous

May 10, 2018

Permalink

i that the former post says that "Domain Fronting Is Critical to the Open Web" and also i note that the tor project tor browser has enabled the following about:configs

media.getusermedia.screensharing.allowed_domains;
media.getusermedia.screensharing.enabled;true

many many domains sharing and trusted and allowed!

so why not trust them for your other purposes as well?

Anonymous

May 11, 2018

Permalink

Brand new user here, still working my way around. I am not as technologically-inclined like a lot of you are, so I hope to get lots of tips on how to properly use TOR.

Welcome to the club!

Good advice on using Tor Browser wisely:
https://www.torproject.org/download/download-easy.html.en#warning

Advice on using Tails wisely:
https://tails.boum.org/doc/index.en.html

If you want help trying to explain to your friends why privacy matters, some of the best books I have read which explain why ordinary citizens need Tor are:

Julia Angwin, Dragnet Nation, 2014
Daniel J. Solove, Nothing to Hide, Yale U Press, 2011
Cathy O'Neill, Weapons of Math Destruction, Crown, 2016
Jennifer Granick, American Spies, Cambridge U Press, 2017
Virginia Eubanks, Automating Inequality, St Martin's Press, 2017
Cyrus Farivar, Habeus Data, Melville House, 2018

In coming months, look for upcoming stories (unless USIC kills them) on how US National Labs have constructed supercomputer models in which every USPER is individually modeled, along with their relations to family, friends, and coworkers. These models are built using USG and private databases holding information on education, employment, finances, health, travel, local government interactions, social media, &c. The models are run, tweaked by some possible government action, then rerun to see which alternative most increases the government's self-defined "utility value". This is, rather literally, surveillance of The People by the Government for the Good of the Government and against the Good of the People. Anything you (or your family or friends) say or do today can be used against you decades into the future. This is what Snowden is talking about when he uses the apt term "databases of ruin".

These population control supercomputer modeling programs were one of USG's most closely guarded secrets for decades, but former LANL scientists are finally beginning to hint in interviews with major news organizations what they have been doing, starting with modeling which might appear "benign" or even beneficial:

wired.com
Scientists Know How You’ll Respond to Nuclear War—and They Have a Plan
Using an unprecedented level of data from more than 40 different sources, resear
chers can now make synthetic populations of entire cities.
Megan Molteni
13 Feb 2018

Much of this work has been done under cover of "traffic engineering" (no joking). The people who do this work know very well that this is merely a cover for much nastier modeling. Think "predictive policing" on steroids.

Another leader in this is China, which is doing it openly. Joseph Stalin would have loved this technology.

Anonymous

May 11, 2018

Permalink

None of my Obfs bridges work anymore with Tails 3.7. They did work with Tails 3.6.2. Don't know if this is a Tor issue, Tor Browser issue or a Tails issue.

Anonymous

May 11, 2018

Permalink

In Linux, Ubunutu 17.04 with Mate Desktop, Tor browser bundle leaves opened files that prevents of unmounting encrypted files. I have to find them with lsof and kill the processes. I've noticed that all of them are related with gvfsd.

Thanks for the great work.

Anonymous

May 11, 2018

Permalink

Thank you.. I am not very computer literate, but really like this anonymous, and not being traced on the web. Thank you for the time, and effort that it takes to continue this.

I don't understand your concern. Suppressing steganoography would be much like suppressing encryption itself--- hiding the fact, content, and destination of traffic is what Tor products are all about, so it doesn't really make sense to complain to Tor Project about steganography.

The article describes a long used method of steganography, which is useful for activists and endangered dissidents who live in repressive nations. It also mentions digital watermarking, which can be used by activists for good purposes as well as by censorship-enabling companies such as Forensicon for (apparently) bad purposes. In short, like everything else, software cannot know who is using it and why. Sometimes the bad guys use good things for bad purposes--- that's life.

In any event, I very much doubt Tor Project can "do something" about the use of steganography even if anyone wanted to do that.

Anonymous

May 12, 2018

Permalink

Here Here for Orbot Captcha hell...

I am here now because I have Tor on 3 windows lappies and when I accept the 7.5.4 update all of them give a ("general SOCKS server failure") I have a good copy of 7.5.3 and have reverted back on all 3 and they connect fine...

Not a complaint just an observation...

Keep up the necessary good work for the fight for anonymity...

Could that be that an old Tor is not properly shut down during the update? Could you make sure that no Tor is running anymore and then install a fresh, new Tor Browser 7.5.4 to a different location and check whether that solves your problem?

Anonymous

May 13, 2018

Permalink

I don't know much about HTML code, JavaScript, Scores of Languages or Linux operating systems but I feel as though computers might be my thing. Yeah.... a paradox. But I'm looking into going to college for IT next year and I would like to volunteer for Tor Browser. So any advice, tips, tricks, or special invitations to help me out?

Here is one piece of advice: get to know The Enemy. This is a project to work on over the next few months, not a easy path but I think essential for anyone who wants to work for Tor Project.

You should probably begin by downloading all the published Snowden links, ANT catalog, SpyFiles catalog, etc. before the end of Net Neutrality (11 Jun 2018) just to be sure you will be able to read them when you know enough to understand them. Then you can start reading the following links (roughly prioritized from easy/short/recent to technical/lengthy/dated):

Up to date and readable outline of the basic issues:
https://theyarewatching.org/

Dated but easy reading (WARNING: dodgy cert):
https://www.aclu.org/issues/privacy-technology/surveillance-technologies

A bit more technical, somewhat dated:
https://ssd.eff.org/

Excellent source for latest information on surveillance-as-a-service companies:
https://citizenlab.ca/

Good advice from Micah Lee:
https://theintercept.com/2016/11/12/surveillance-self-defense-against-t…

Fabulous compendium of surveillance-as-a-service companies and their products:
https://theintercept.com/surveillance-catalogue/

Another excellent source of information on surveillance-as-a-service-companies:
https://wikileaks.org/The-Spyfiles

Searchable index of the leaked emails from defunct spyco HB Gary Federal:
https://www.wikileaks.org/hbgary-emails/?q=&mfrom=&mto=&title=&notitle=…

Leaked newsletters from a spyco: Stratfor:
https://search.wikileaks.org/gifiles/

The best source of information on NSA surveillance (highly technical):
https://www.eff.org/nsa-spying/nsadocs
(Read Jennifer Granick's book American Spies for some help understanding Snowden leaks.)

The ANT catalog, the most important post-Snowden leak (includes copies of original NSA docs):
https://en.wikipedia.org/wiki/NSA_ANT_catalog

Information on CIA cyberespionage (technical and at the center of political controversy in USA):
https://wikileaks.org/vault7/

Excellent source of information on the revolving door between US miltary/USIC and spycos:
https://icwatch.wikileaks.org/search?action=index&controller=search&doc…

Dated but invaluble (WARNING: not an https site?)
http://projects.washingtonpost.com/top-secret-america/
(Many of the companies named have merged or changed names.)

The Intercept (theintercept.com) regularly publish stories on surveillance mercenaries, private security forces like BlackSwan, police misconduct around the world. The Guardian (theguardian.com) has published many important stories on outrageous infiltration by UK police of EU peace/environmental groups and extralegal killings of environmentalists and reporters. Human Rights Watch (hrw.org), Amnesty (amesty.org), Reporters without Borders (rsf.org) are excellent sources of information upon current human rights abuses, very few of which are covered by most major US/EU newspapers.

Years ago, Bloomberg News published many good articles on spycos, for example:
https://www.bloomberg.com/news/articles/2012-08-29/spyware-matching-fin…
But they appear to have removed their index to these stories after it was revealed the company was routinely spying on its own reporters.

Anonymous

May 13, 2018

Permalink

Tor 7.5.4 hangs even worse than the past 2 versions e.g.
tripadvisor.com
vrbo.com
flipkey.com
suddenlink.com
nationwide.com
usps.com
Unusable.

Anonymous

May 14, 2018

Permalink

Thank you for your ongoing work. You help create as much liberty as we can experience in these times.

Donation in transit.

Health, happiness and prosperity to you and yours

Anonymous

May 15, 2018

Permalink

One thing I have noticed that has arisen in 7.5.4 is that the entry (first country listed) circuit is static and cannot / will not change even when requested.

In one install I am forced to use United States.

In another install (yes, both 7.5.4) I am forced to use Switzerland.

In both cases the other two (second and third) circuits will change, but the first - never.

This is a Windows browser. Thanks.

Anonymous

May 16, 2018

Permalink

Thank you so very much for your constant great work. It is absolutely essential to have TOR available. I can not stress out how important it is.

So, thank you for your fantastic work.

Anonymous

May 16, 2018

Permalink

In TBB media.gmp is off.
How can i switch off this s..t in vanilla Firefox?

I have turn off all media.gmp but nevertheless FF is downloading
.dll in profile-directory 'gmp-gmpopenh264'.

Anonymous

May 18, 2018

Permalink

I have a question similar to one asked by a couple of Tor users under 7.5.3 but never answered.

I have noticed that occasionally when I switch between pages of the same web-site, the guard node changes. Why is this?

Why is the ‘new’ guard node trying to ‘muscle in’?

Please let me and the users from 7.5.3 know.

Thanks for all your work.

Anonymous

May 24, 2018

Permalink

Thank you for contributing to our online privacy. The amazing improvements make such a noticeable difference to the protection you provide - especially during the past 12 months. Your service to the community is admirable.

Anonymous

May 25, 2018

Permalink

Meltdown/Spectre strikes again!
CVE-2018-3639 (Speculative Store Bypass) Spectre V4
CVE-2018-3640 (Rogue System Register Read) Spectre V3a
Do these affect Tor?

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

1 + 6 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.