New Release: Tor Browser 9.0.9

Tor Browser 9.0.9 is now available from the Tor Browser download page and also from our distribution directory.

This release updates Firefox to 68.7.0esr, NoScript to 11.0.23, and OpenSSL to 1.1.1f.

Also, this release features important security updates to Firefox.

The full changelog since Tor Browser 9.0.8 is:

  • All Platforms
    • Update Firefox to 68.7.0esr
    • Bump NoScript to 11.0.23
    • Bug 33630: Remove noisebridge01 default bridge
  •  Windows + OS X + Linux
    • Bug 33771: Update some existing licenses and add Libevent license
    • Bug 33723: Bump openssl version to 1.1.1f
  • Windows
Mateus

April 08, 2020

Permalink

You are still not shipping the latest version of extensions with the browser and still relying upon automatic updates.

Mateus

April 08, 2020

Permalink

How long does the first hop, Guard, stay the same? I've had the same Guard now for the past 7 or 8 months.

This single guard has persisted even through multiple Tor Browser version updates during that time. Only time the Guard changes is when I delete all the files in the settings files from Data-Tor directory. Then whichever Guard gets newly selected, once again persists forever.

My concern here is security; when the same Guard persists for so long, someone could target it, as the first hop in a chain, to break anonymity.

@ boklm:

Do you know whether Tor Project still accepts donations by mail during the COVID-19 lock down? How about Riseup Networks? (I try to help Tails and Tor Project indirectly by donating to Riseup.)

No they don't take donations right now. torproject have donation lockdown online out of fear from the online spreading of Covid-19.

Just joking, they are hiding the virus thru several layers of encryption in your exist nodes and still accepting donations xD Merry Christmas!

I'm thinking maybe your Tor client actually is choosing a guard node every 2-3 months, but it just happens to have picked the same one three times in a row. As far as I know, the only reason for choosing a new one every 2-3 months is in case there is a guard available that has better uptime or bandwidth than the ones you already have. I don't think there are any anonymity concerns with using the same guards longer than the 2-3 month default, it's just that clients could miss out on higher-performance guards if they kept the same ones forever. So as long as your client is **checking** for a new guard every 2-3 months, it's okay if it chooses the same one it already has. I don't know for sure.

Can anyone confirm if this is correct?

> it just happens to have picked the same one three times in a row.

Unlikely. There are about 3,400 guard relays. I question OP's memory of 7-8 months ago unless they wrote it down at the time.
https://metrics.torproject.org/relayflags.html

> So as long as your client is **checking** for a new guard every 2-3 months, it's okay if it chooses the same one it already has. I don't know for sure.

Sounds correct to me, but I don't know for sure either.

@anon

Thanks for the link. It just confirmed my suspicions; that link states guard IP changes every 2 to 3 months. But I've had the same guard IP now for 7 or 8 months.

> My concern here is security; when the same Guard persists for so long, someone could target it, as the first hop in a chain, to break anonymity.

Thought I'd add that anonymity-preserving characteristics of Tor circuits are not always very intuitive, and based upon what we know about how our enemies have been de-anonymizing Tor users, it seems that keeping the Guards persistent is actually much less dangerous than changing them constantly.

That is why Tails Project has been trying so hard (for several years) to find some way of ensuring that people who boot Tails from a live USB keep their guards the same way that people who use Tor Browser installed in their regular system (booted from a hard disk).

Currently i can set Guards in a livebooting, DVD/USB, Tails EASILY?
Something like root->run GUI/script for setting Guards manually or automatically?

Mateus

April 08, 2020

Permalink

I don't see any benefit in continuing to bundle Disconnect search into the browser. It uses DuckDuckGo anyway, and it redirects to duckduckgo.com's results pages, providing no layer of privacy.

What is Tor Project's opinion of SearX, MetaGer, and Gibiru?

Disconnect is not included in current releases, if you do a new install. However if you installed Tor Browser a long time ago, you might still have it as the update process does not remove search engines.

I don't know MetaGer and Gibiru, but for SearX I think it depends who is running the instance you are using, and whether you trust them.

Linux. Disconnect and the other default search engines are defined in
/tor-browser_en-US/Browser/browser/omni.ja
--> /chrome/browser/search-extensions/list.json

  1. <br />
  2. "visibleDefaultEngines": [<br />
  3. "ddg", "ddg-onion", "google", "yahoo", "twitter", "wikipedia", "disconnect", "youtube", "startpage"<br />
  4. ]<br />

Mateus

April 08, 2020

Permalink

Can I ask an open-ended question about an observation which has been worrying me?

Since many months I have noticed when surfing to sites such as Propublica multiple connections to very popular sites such as facebook.com which involve different Tor circuits, so the effect is that one user generates multiple streams to read one webpage:

user === entry1 === relay1 === exit2 -- OCSP.server (certificate lookup)

user === entry2 === relay2 === exit3 -- https.landing.page

user == entry2 === relay3 === exit4 ---https.landing.page

...

user == entry2 === relay5 === exit3 -- https.landing.page

As the above diagram suggests, often two or more of the circuits share an exit or relay node, and all have the same entry node. I often see five circuits just for one webpage. Doesn't this tend to enable deanonymization?

A related observation: when using the duckduckgo search site, I see separate circuits for OCSP lookup, icon download, and search query upload. Is this dangerous?

Any privacy researchers out there?

P.S. I see Facebook has teamed up with Carnegie Mellon Software Engineering Institute (SEI) to develop a digital contact tracing app for smart phone users who use FB (i.e. everyone?). Tor users are not likely to be happy about this partnership.

P.P.S.: am I wrong in guessing that Cloudflare runs about half of Tor exit servers?

Speaking of Cloudflare. I have observed that during a reload of a Cloudflare page the circuits rapidly change several times until the reloaded page is finally displayed. This happens with each reload. Guard node remains the same.

@ boklm:

It's a hunch based upon:

1. my guess that many sites I visit (US news sites and NGOs) are protected by Cloudflare from people abusing Tor to do DDOS against entities they dislike,

2. my observations that my Tor circuits to these sites almost always end with an exit node operated by a single large family of fast nodes,

My concern is not based upon the assumption that the OCSP server or even the website operator is knowingly collaborating with some entity hostile to Tor users (Carnegie-Mellon SEI perhaps?), but that said entity may have access to or influence over the family. My concern is that an entity which can control an exit node family (possibly without the knowledge of the putative operator) who has access to multiple circuits associated with a user accessing a specific webpage and who employs software engineers (e.g. SEI) can potentially deanonymize users.

Needless to say, I do not believe I am doing anything illegal or even wrong in attempting to read news articles (which to my knowledge are NOT behind paywalls). However, US law is extremely murky and as the USA continues to veer toward an ugly dystopian authoritarian kleptocratic style of "democratic government" [sic] (apparently modeled on Putinism), it may not be unreasonable to fear that hostile entities are plotting vicious actions against people who are not doing anything illegal, who are not even doing anything wrong.

Speaking of SEI, did you see that they are working with Facebook to develop a "digital contact tracing app" for smart phones, basically real-time geolocation which will share the details of all your physical contacts (and probably much much more) with government agencies? Further, did you see that local health authorities in the US have moved quickly to share "digital contact tracing" data on specific persons with local police? There is no indication that any US official (federal, state, county, municipal) plans to stop this dangerous information sharing after the first wave of the COVID-19 pandemic is declared "under control".

Your hard work and your feedback here are valued! Thank you and thanks to everyone who continues to make TP work during these difficult times.

> US law is extremely murky and as the USA continues to veer toward an ugly dystopian authoritarian kleptocratic style of "democratic government" [sic]

wired.com
Signal Says It Will Leave the US Market If the EARN IT Act Passes Congress
11 Apr 2020

> The end-to-end encrypted messaging app Signal, which is respected and trusted for its transparent, open-source design, says that it will be one of the immediate casualties should the controversial EARN IT Act pass Congress.

Why is Tor Project silent?

Perfect forward secrecy is built into Tor. It will be illegal under the EARN-IT Act. Tor Project is based in the USA and immediately subject to US law.

@ Isa: Signal's plan is to leave. What is our plan?

> I don't think
> I'm not even sure

I'm someone else and also speculating, but it would hypothetically be in their interests to trigger their own defenses, attack new unprotected customers toward contracting with them, throw a wrench into Tor users' experience, and more all at the same time. Although, DoS and surveillance contractors are in the interests of many organizations.

I think you are saying that Cloudflare clearly has an interest in promoting the possibly misleading notion that actual baddies are actually abusing Tor to mount DDOS attacks on legitimate news sites, when it is possible, maybe even probable, that many of those "attacks" are done by Cloudflare itself in order to drum up more business.

If so, yes, I agree. The US has made a terrible mistake in growing up a security industry instead of a privacy industry. Because the security industry has a vested interest in ensuring that cybersecurity and terrorism threats (as perceived by governments and businesses) only get even more dire, forcing entities with deep pockets to transfer more and more of their wealth to companies like Cloudflare.

That whole "China is stealing" narrative has a basis in fact, like any Big Lie, but it is essentially a magicians trick to divert attention from the far more serious home-grown kleptocracy.

Sit back and watch Big Bad Everyboy steal all that COVID rescue money which Congress says it intended to direct to small businesses who lost all their customers due to mandatory lockdown.

It appears that GOP and Democratic Party loyalists actually agree on this. Their disagreement is about whether or not such naked kleptocracy is something to be admired and enabled, or something to be denounced and prevented.

DuckDuckGo - 2 covert problems:

1. Seemingly excusable auto-fetchng of their icon if you are searching the DuckDuckGoOnion site (https://3g2upl4pq6kufc4m.onion over Tor Hidden Services), because they force your browser to download their icon over the clearnet from duckduckgo.com. So the browser always makes a semultaneous connection and leaves a connection record via the clearnet. Hence your hidden services connections may be tracked or deanonymized. Anyone to confirm the risk?

2. DuckDuckGo by default sends your search queries in the URL line ("GET" submission method), which makes your search words easy lo log. In the settings they do offer the "POST" method (hopefully embedding your search words within the encrypted portion of traffic), but it's not enabled by default (??!) as if it's not the best for privacy.
If enabled, the setting will not persist in TorBrowser, so it's a hassle to do in every session.

Could the two be accidental?

1. I don't see any connection to duckduckgo.com when using their .onion address. But even if there was, it doesn't mean you get deanonymized.

2. I don't know why they use GET rather than POST but both encrypted in the same way. It seems POST is what is used if you search using the URL bar.

1. That's probably by design, otherwise many folks would have a problem. But DuckDuckGoOnion's cleartext connection to duckduckgo.com can be easily seen using some other tools (other than NoScript :-). Check it out by adding the uMatrix add-on, it's very informative. To block it in uMatrix, add a rule like this: 3g2upl4pq6kufc4m.onion duckduckgo.com * block
But of course, adding uMatrix is not recommended, and hence no one knows that this goes on?
Please create a ticket to address this privacy problem with DuckDuckGoOnion. If they really care about privacy, they should be able to serve their icon from the same .onion site.

2. GET vs. POST: no, they are not both encrypted in the same way :-)
Since the URL requests are not encrypted in the HTTPS traffic, then anything submitted via "GET", being attached to the requested URL, likewise is clearly observed and becomes a record in the webserver log.
Why DuckDuckGo uses GET by default is again a valid privacy concern. For example, StartPage offers encrypted POST by default.

Thanks for bringing these to your dev's attention.

Not fuly. While the GET submission in URLs is encrypted in HTTPS, it WILL LEAK in:

  • the Referrer header (could be why DDGoOnion forces downloading the icon from clearnet?),
  • plaintext server logs on the DDGo HTTPS server,
  • quite possibly also in browser history,
  • probably also to any browser plugins (= say, inserted zero-day exploits),
  • possibly to other applications on the client computer.

https://security.stackexchange.com/questions/176164/is-it-possible-to-s…

"... it is very poor practice to include such sensitive data as a password in a 'GET' request.":
https://stackoverflow.com/questions/893959/if-you-use-https-will-your-u…

Wake up, Tor people.

I think it makes sense to ask that POST requests are used instead of GET requests, but it doesn't help to make inaccurate claims about encryption of GET requests. But this looks like something to ask to duckduckgo people, as it seems the issue is when searching from their website, with any browser, and not from the Tor Browser URL bar.

1. No. In Tor Browser, when you go from one origin (domain) to another, the browser only sends the domain part, not the path or query, as the referer. So when you click a search result, the site only sees "https://duckduckgo.com/" as the referer. The rest is cut off and discarded.
2. Yes, that's possible, but we don't know. For all we know, they log POST requests too.
3. TB is in permanent private browsing mode, so it doesn't keep any history.
4. This is just one more reason why you shouldn't install any addons/plugins/extensions in Tor Browser. And, if one of your plugins has a zero-day, you have much bigger problems already.
5. Can you give an example, where an application has access to GET data but not POST data?

Your links are irrelevant because TB never sends queries in the referer.

> Seemingly excusable auto-fetchng of their icon if you are searching the DuckDuckGoOnion site (https://3g2upl4pq6kufc4m.onion over Tor Hidden Services), because they force your browser to download their icon over the clearnet from duckduckgo.com.

I sometimes see that too. More speculation: something goes wrong when the first circuit is overloaded, and the icon is somehow downloaded in a dangerous way.

Very annoying because of course the icon serves no useful purpose for us... but might serve a purpose for our many enemies.

Mateus

April 08, 2020

Permalink

Comments are closed on Remote Work and Personal Safety, but I want to ask if anyone has been able to group chat (more than 2 people) by voice and video through Jitsi Meet or Nextcloud installed on an onion service. I read about Mumble's latency, but I wanted to know how badly voice and video in Jitsi Meet and Nextcloud are degraded if they can be hosted on an onion service and if Tor Browser allows voice or video.

Interesting question, Anonymous. I believe Jitsi Meet normally sends the audio/video streams over UDP, but I think it might have a fallback for using TCP instead?

I would hope and assume that Tor Browser disables the mechanisms that Jitsi and other WebRTC software uses to make peer-to-peer connections, but if the connections are all routed through the onion service then it should be safe. With some latency, I'm sure, and you'd probably want to reduce the resolution/bitrate to the minimum possible.

Mateus

April 08, 2020

Permalink

Since tor updated to 9.0.9 on my Windows 10 64, tor connects but all tabs crash with the comment "Gah. Your tab just crashed." I reinstalled tor with antivirus disabled but still have this problem. I did not have the problem with previous versions.
I am not a computer expert so if someone can give an easily understandable solution that would be most appreciated

Mateus

April 08, 2020

Permalink

me gustaria que tor incluyera una extension para traducir las paginas que estan en otro idioma, por preferencia. tambien me gustaria que el nivel de seguridad que optan ni no afectara, los video e imagenes osea que se puedas ver aunque haya cambiado de nivel de seguridad, cuando pongo mayor seguridad no pueod ver video ni imaganes. tambien me gustaria que lanzaran una aplicacion de chat de mensajeria igual que signal messenger fuera genial.

I tried to translate this request and think I got the gist:

> I would like Tor to include an extension which translates webpages in another language; also I would like to ask for a security setting which fools websites into thinking the Tor user is using a lower security setting which would normally be required to watch daring videos and images; also I would like Tor to include a chat and messaging application competitive with Signal. That would be beyond brilliant!

Someone please correct me if I got anything wrong. I am particularly uncertain that I correctly translated "osea" as "daring", which I understand to refer to something like a video of a government action which violates human rights (unfortunately a common occurrence in many countries these days).

Tails (tails.boum.org) allows you to run a Linux distribution with Tor Browser and other anonymization and security enhancing tools built in from a "live USB". All running software and data exists only in volatile memory and any data is stored permanently only if you choose to store it in a data USB (which you can encrypt with LUKS, the Linux encryption which uses Rijndael, which is also called AES cipher). Further, you can choose to automatically install (from code stored in a LUKS encrypted "Persistent Volume"), when you boot your device from your Tails USB. In particular you can install apertium which provides reasonable machine translation between certain languages, including Spanish/English. I recommend also installing gocryptfs so that you can protect files stored in the encrypted Persistent Volume when you are using your Tails session to go on-line, because you need to unlock the Persistent Volume in order to use the Tails feature which loads additional software such as apertium, but for better security you should avoid exposing all your personal files (stored in the unlocked Persistent Volume) when you are connected to the Internet.

I have my own feature request for Tails: I would like future Tails to include gocryptfs without having to install it from the encrypted volume, for better security.

I second the request to restart the Tor Messenger project, which unfortunately failed the first time around. As some readers will recall, the official reason was that the technical challenges had proven insurmountable using the first approach to writing the needed software, which was intended to work on most devices (laptops, smart phones). I do not disbelieve the official version, but it seems clear that Tor Messenger is exactly the kind of desperately needed software which FBI insists "should" [sic] be illegal under US law (and hence illegal everywhere, since Tor Project and most Internet infrastructure effectively operates under US law). But a human rights organization must strongly resist attempts from FBI (or any other agency which is habitually oppressive to human rights) to bully Tor Project, volunteer Tor node operators, or Tor users.

@ people in Chile, Ecuador, Mexico, Venezuela, etc: please use Tor! I'd like to hear from you about political events in your country!

Monied interests in the US (and around the world) are eagerly declaring that the Bernie Sanders progressive revolution has been "defeated" [sic]. I say: balderdash! Let's make a progressive (political) revolution sweep both North and South America! Away with all these Bannonistas, Bidenistas, Bloombergians, and Bolsonarios! Down with Big Oil, Big Pharma, Big Banks, and Big Soda! Confusion to the alt-right racists and the Putinist trolls! Power to the People!

The reason for stopping Tor Messenger has nothing to do with FBI. The main reason was that Instantbird (on which Tor Messenger was based) was no longer maintained, and we don't have the resources to maintain a full messenger application ourselves. But there are other people developing instant messenger apps too. One of them is https://ricochetrefresh.net/ (although it seems to be still experimental and I have not tried it).