Tor Browser 4.0.3 is released

by gk | January 13, 2015

A new release for the stable Tor Browser is available from the Tor Browser Project page and also from our distribution directory.

Tor Browser 4.0.3 is based on Firefox ESR 31.4.0, which features important security updates to Firefox. Additionally, it contains updates to meek, NoScript and Tor Launcher.

Here is the changelog since 4.0.2:

  • All Platforms
    • Update Firefox to 31.4.0esr
    • Update NoScript to 2.6.9.10
    • Update meek to 0.15
    • Update Tor Launcher to 0.2.7.0.2
      • Translation updates only

Comments

Please note that the comment area below has been archived.

January 13, 2015

Permalink

I wonder how "current" the Crypto/HTTPS in the new browser version is.Have not try yet.

e.g. DSA or RC4 are outdated?
How trustworthy is DSS? And Camellia?
Or try download from the mozila ftp pub with GCM-sha256?Fail.
Why AES128 only in security.ssl3.ecdhe_rsa_aes_128_gcm_sha256?
Why not crypto with Twofish?
And so on.

I hope detailed crypto and media information is activared again.

Well, you can deactivate RC 4.

Type in the address bar of firefox

about:config

then search for "RC 4" or "RC4"

then deactivate all entries listed, so switch from "true" to "false"

that's it ! :)

January 14, 2015

Permalink

Just wanted to say a huge thank you to everyone that works on TBB and associated products. I know lots of people complain about stuff but I just wanted to say that your work is greatly appreciated (by me at least). THANKS AGAIN. There are many adversaries out there trying to watch every last little thing that we do but with your help we can hold them off a good while longer.

Complaining is one thing, giving constructive criticism is another. Only the liberals and the government complain because things don't go their way.

January 14, 2015

Permalink

thanks !

i have a question .

i have heared cyber police can track users by computer's IP ! is it true?

if Yes is there anyway to change computer's IP?

i mean the ip to be optained via :

Run> Cmd > ipconfig >IPv4

No. That is untrue.

There is no such thing as Internet police. Laws vary from country to country, so what's legal in one country could be illegal in another.

If you don't take measures to hide your real IP address, and you then start using peer-to-peer sites to obtain content that is protected by Copyright - for example, you download the latest Red Hot Chili Peppers album. Because you are now sharing that with the world (by default with most P2P software), you could end up sharing it with one of many computers that the Recording Industry Association of America (RIAA) have set up to trace the sharing of Copyrighted material. The Motion Picture Association of America (MPAA) are the ones who get involved if you've downloaded and shared movies, RIAA take care of music, and so on.

The RIAA, in this example, then go to the local Courts to request a Court Order instructing the Internet Service Provider (ISP) of the IP address to give them the details of the person who used the IP address at the time the Copyright infringement occurred. Details in hand, they go to the Police because you broke the law, and you get a slap on the wrist. It's not exactly a huge criminal act as far as law enforcement are concerned.

With the criminal conviction in the bag, they then set about ruining you financially and they commence legal proceedings against you for sharing content that was Copyrighted, and demand no less than $750 per song shared to any 1 person. So if 100 people downloaded 1 song, they sue you for $75,000. They make up a random number of people that they think have downloaded the Copyrighted material you have made available for downloading, and slap you with a ridiculous bill in the millions that nobody would be able to pay.

There are several horror stories out there of the RIAA bullying families to bankruptcy because their children have been loading up on Copyrighted content, and it's not the downloading that they're hot and bothered about, it's the fact that you made the Copyrighted material available for others to download from you.

I'm not recommending that you break Copyrighted laws at all. However, a service like Tor will cloak your real IP address from any drone computer the RIAA may have set up, and if your IP address is in North Korea, the RIAA don't have jurisdiction there, so they'd have to drop it and move on to the next case, hoping it's easy and straightforward.

Bottom line: Use Tor.
Written by JerryU

There is always a way to track someones i.p. and track their activity. There is internet police, but they don't actually act on something unless it's their own getting threatened. In other words, say for example, you go to a chat site where there are predators on it. You report it to the FBI because there are hackers and stalkers on there. They will blatantly ignore it because they don't consider it a priority, yet, if you send an e-mail to one of them threatening their life, over a sudden it becomes a priority and they're all over you like a pig in sh-t.

When it comes to the RIAA and copyright material, don't worry about it. I've been a pioneer to peer to peer programs and have never been caught on tor. There is a lot of gossip that peer to peer networks may leak information, but that's untrue otherwise I would've gotten notices in the mail like I did when I was testing tor with cable. I was getting them without tor and wasn't getting them with tor. The thing that everyone doesn't know is that when the RIAA began bringing people to court, they had to give back 9 billion dollars because they were illegally hacking computers and claiming people were illegally downloading when they weren't. That was in 2005, after that, the RIAA was scared to death of bringing someone to court in fear of the speculation from the court of them planting copyright material in someones computer for the sake of getting $250,000 from someone. The criminal mind is that it's easier to gain the profit back by falsely accusing someone that way they can gain the money back from what they lost from it. There are people who may say don't encourage copyright "Theft," in reality, the entertainment industry is worth about $90 billion dollars a year. They aren't going bankrupt.

I don't think you can change the entry node without restarting Tor Browser or having a different controller accessing it. Your circuit is visible in the alpha version of Tor Browser. We are currently testing this feature.

January 14, 2015

Permalink

I want to know if I update the TBB needs to delete the folder and sub folders of TBB? Then extract the TBB to somewhere.

January 14, 2015

Permalink

Hello, how secure is the included updater in 4.0.2? Does NSA has the capability to tamper with updates using this mechanism?

It's hard to say anything about NSA's capacity but the updater is quite secure we think. It is getting even more secure with signed updates which is currently tested in the alpha series.

January 19, 2015

In reply to gk

Permalink

How secure can the internal updater be when it apparently doesn't even attempt to verify the update?

January 14, 2015

Permalink

In the Tor Browser 4.0 release announcement https://blog.torproject.org/blog/tor-browser-40-released mikeperry wrote: "Please also be aware that the security of the updater depends on the specific CA that issued the www.torproject.org HTTPS certificate (Digicert), and so it still must be activated manually through the Help ("?") "about browser" menu option. Very soon, we will support both strong HTTPS site-specific certificate pinning (ticket #11955) and update package signatures (ticket #13379). Until then, we do not recommend using this updater if you need stronger security and normally verify GPG signatures."
So i'd like to know if now is safe to update TBB 4.0.x through the Help / "about browser" menu option or not yet.

January 14, 2015

Permalink

I am seriously not trying to troll here, but:
What is the deal with the binaries not giving the same checksum as when we compile Tor ourselves from source? (Honest question and honest concern).

Someone might have tampered with the binary you are downloading or the binary you are compiling yourself. Have a look at Mike Perry's and Seth Schoen's reproducible builds talk at the 31C3 for the issue.

January 14, 2015

Permalink

hello

The religious dictator regime In Iran Tortured and imprisoned the Bloggers.
The religious dictator regime In Iran is One of the greatest enemies of the Internet.
I'm a blogger And I'm blogging with security(with Tor).
Iran is a prison For journalists, freedom and Dissidents.

thank you.

>The religious dictator regime In Iran Tortured and imprisoned the Bloggers... Iran is a prison For journalists, freedom and Dissidents.

Josh Wolf says hi.

> The religious dictator regime In Iran is One of the greatest enemies of the Internet.

Did you mean to say NSA?

The NSA does things, which can have positive and negative effects. They make it harder to be anonymous. But in Iran, you can die just for saying the government is stupid.

January 14, 2015

Permalink

Great! I have an idea for the Tor project, instead of making data go through 3 Tor relays, make data go through 6 Tor relays. That would make Tor impossible to be hacked by anyone.

The Tor network has a large surplus of middle relays, so adding an additional middle relay would not necessarily take network capacity away from other users.

The extra time would consist of a) the additional latency of going through an additional relay and b) the chance of choosing an additional middle relay that has the lowest available bandwidth of each relay in the circuit.

The length should be four relays (at a minimum). That would place (at least) a two-relay onion route between either the entry relay or exit relay and any network observer (at one link) along the path. As it is with third-generation onion routing, the fixed three relay length allows the middle relay to know the IP addresses of both the entry and exit relays (as well as the timing information) of every circuit it serves as a middle relay for.

Since onion routing does not protect against an adversary that can see both endpoints of the onion route, no observer should know the physical locations of both endpoints, let alone so easily and with certainty.

Please see the paper "A Peel of Onion" by Paul Syverson at https://www.acsac.org/2011/program/keynotes/syverson.pdf section 4 for some of the rationale behind the circuit length design choices for each of the three generations of onion routing.

January 14, 2015

Permalink

Has Erinn changed gpg keys? I got a "bad signature" output when verifying tbb 4.0.3. Additionally, I noticed in archive.torproject.org that the asc files for this latest release have a different "last modified" date than that of the corresponding bundle. That isn't usually the case is it? Should I be worried?

As always, thank you Tor Project.

January 17, 2015

In reply to gk

Permalink

I tried to verify tbb 4.0.3 en_us.exe.
I've never had a "bad signature" output before. tbb4.0.2 and tbb4.0.0, wich i still have, produce the expected output, as do a couple of other applications that I verified today.

Thanks again.

Nevermind, it was a corrupted, somewhat smaller executable. I downloaded again, this time with no problems, and verified it. No problem. I feel a bit stupid, now.
Anyway, thanks.

Τhis is actually happening to me too! I keep getting:
gpg: Signature made Di 13 Jan 2015 20:10:16 CET using RSA key ID 63FEE659
gpg: BAD signature from "Erinn Clark "
I don't think it's a corrupted d/l, I redownloaded tor-browser-linux64-4.0.3_en-US.tar.xz three times.. Creepy.

January 14, 2015

Permalink

I have windows 8.1 and its telling me my PC can't run this app, any solution or just a bug?

What type of processor do you have? If it's ARM, you're not going to be able to run any modern browser other than IE. Windows on ARM doesn't provide the APIs they need for fast processing of Javascript including the internal Javascript the Browser is based on.

January 14, 2015

Permalink

I keep getting:
An error occurred during a connection to www.torproject.org. The server rejected the handshake because the client downgraded to a lower TLS version than the server supports. (Error code: ssl_error_inappropriate_fallback_alert)

I'm using TBB 4.0.2.

This has been happening occasionally for the past several weeks, IIRC ever since POODLE. Clearing history, switching to new exit node, etc doesn't fix it. Waiting a couple days usually does fix it.

Is anybody else getting this, or is it just me?

January 16, 2015

In reply to gk

Permalink

Yes, I currently get ssl_error_inappropriate_fallback_alert only for www.torproject.org. I still get it today (January 16), and it always fails (changing exit node doesn't help). I don't get it for blog.torproject.org. IIRC I got it once for duckduckgo.com a few weeks ago, but never again. DDG works fine now.

I'm using Tor 0.2.4.24 configured as a transparent proxy on a separate gateway machine (so a browser exploit can't reveal my IP address), and TBB 4.0.2 (instead of regular FF, so I'll look like other TBB users) set to transparent proxy mode (i.e. doesn't use TBB's built-in Tor).

I don't know if my split configuration is the problem, but it works fine (and has for years) everywhere else, including with TLS; only www.torproject.org is currently failing.

OS is Debian 7 stable, with Linux 3.2, both for the gateway (running Tor) and for the client machine (running the browser).

January 16, 2015

In reply to gk

Permalink

More info: enabling 4.0.2's built-in Tor (so now I'm using Tor over Tor; extremely slow) solves the problem.

But my split configuration should not be causing the problem I'm seeing. And the problem only occurs for www.torproject.org, not for blog.torproject.org or gitweb.torproject.org or any other site.

Tor 0.2.4.24 (on my transparent proxy) isn't the latest, but that shouldn't have any effect on a browser's use of TLS.

January 16, 2015

In reply to gk

Permalink

Updating my transparent proxy to 0.2.5.10 didn't help.

Set your TBB to transparent proxy mode, put it behind a transparent (i.e. intercepting) 0.2.5.10 proxy, and I think you'll see the problem I'm seeing.

January 14, 2015

Permalink

Hi.
Thanks for all the work.
I just updated, and now the icon in my task bar for Tor Browser is the stock Firefox icon. Any chance of switching it back in future releases?

I know it seems simple, but since I (and many people) use Tor Browser and Firefox concurrently, having different icons is a quick and easy way we can check to make sure we're using the right browser.

I'd hate for someone (especially beginners) to compromise our anonymity over something so rudimentary.

As a note to beginners who may read this, it's likely preferable to only have one browser window open, to avoid getting confused.

I wish I could use tor browser 100% of the time. For several reasons, that's not currently practical.

Thanks again,
me

January 18, 2015

In reply to gk

Permalink

Trying to think back, it is quite possible that I had firefox (clearnet) open while installing the new tor browser. It actually looks like it's now back to the tor browser icon.

It a certain linux distro, and it appears that after a reboot it's back to normal now. I don't know a lot about programming, but I guess since it appears to be back to normal it was some time of quirk. I had posted my comment under the assumption that it was a widespread "issue." Sorry if I posted hastily.

It does present a question, though.
Icons are harmless, but is it actually possible to have a vulnerability during installation if the firefox process is running? If not an active attack, then "just" the computer having bugs.

Next time I'll probably just shut down firefox to be safe, but it proves how tricky secure computing can really be.

Thanks again!

January 14, 2015

Permalink

Hopefully this comment get's posted. I have tried making a comment before but it didn't get posted(it was not an abusive or offensive or racist comment, it was a question about something to do with non exit Tor relays).
My question is, how do I tell if my non exit Tor relay is an entry relay, or a middle relay? I would prefer to be a middle relay(the relay which passes the data onto the exit relay).

January 14, 2015

Permalink

How can we force Tor 4.0.3 to always present the "Download an External File Type?" dialog when we right click a link and "Save Link As"?

Some file types seem to bypass this dialog and take you straight to naming the file.

January 15, 2015

Permalink

4.0.3 has a bug.
The Tor browser crashes every time I use it.
Please create a 4.0.4 as soon as possible to fix this bug.
Also has anyone noticed that when you download Tor your connection to the Download Tor page really isn't encrypted?
Right click somewhere on the Download Tor page, and click on properties, and you will see that the connection is Not Encrypted.
Because the Download Tor page isn't encrypted, that means that an attacker can modify your download and eavesdrop on the page.

January 18, 2015

In reply to gk

Permalink

I also get random crashes since 4.0 or so. I'm on XP for what's it worth. Did you ditch XP-support for good?
I know it's virtually impossible to reproduce random crashes, but it would be great if something could be done about this. Is it a Firefox-issue?
So far the best solution for me is still Privoxy and the Expert Bundle. Works like a charm.

January 15, 2015

Permalink

Hello i from china
Tor here blocked
connections to public tor relays blocked
how do i circumnavigate this?

January 15, 2015

Permalink

With TOR 4.0.2 I had the same guard node for a few days (which is how I assume it should be).

I have just downloaded 4.0.3.

Checking with Vidalia, it gave me one guard node for half an hour – call it Guard A (not the same one as under 4.0.2). Then it changed to another one (Guard B). I have just started TOR again and it has gone back to the previous guard A. But, under 'connections' on Vidalia Guard B is showing as well.

This does not seem right.

Any comments please?

What has Vidalia to do with Tor 4.0.3? There is no Vidalia we ship anymore. It is long outdated and not maintained anymore. And changing guard nodes might happen, e.g. if the one you wanted to use is not available at the moment.

January 17, 2015

In reply to gk

Permalink

GK

I use Vidalia to see which three nodes make up my connection.

If you know of another way to see my entry, middle and exit nodes I would be very grateful - as, I am sure, many other users would be.

Thanks

January 19, 2015

In reply to gk

Permalink

"[Vidalia] It is long outdated and not maintained anymore."

So why does Tails still use it?

January 15, 2015

Permalink

I know how to transfer my bookmarks to a new version.
What is the best way to transfer additional about:config settings and installed Add-ons with their partially extensive configurations?

Perhaps the internal updater is your answer. Didn't check if it keeps extensions and settings but I know it keeps the bookmarks.

Manually, you have to copy your extension files (xpi) or folders into the new profile, you could also create a user.js file in the profile.default folder to enforce your settings at each browser launch. So you would copy the user.js file and the extensions into a new profile after each update.

usually there is a folder with the broswer icon in it. Don't remove it from the folder, needs those files to work. I'm guessing you moved it to your desktop manually, out of the folder?

Try and see what happens.

the folder names may have changed.

if you go into tor browser folder, and see the shortcut to start tor browser, make a shortcut to that, and put the new shortcut on your desktop.

January 16, 2015

Permalink

cant open the tor download, on windows 8.1." It says NSIS error installer integrity check has failed. contact installers author for a new copy" I have tried redownloading multple times. Any idea what this means?

February 24, 2015

In reply to gk

Permalink

I have the same problem, download from everywhere, even from tor website, but stil not working. please help!

January 16, 2015

Permalink

PLEASE help.I haven't a clue what's going on.

Try downloading TBB with a mozilla browser(.zip - version) on Windows 7.
File is downloading but saving is BLOCKED, the download tab in the browser
says.
When i RENAME the file for saving, e.g. .txt insted .exe, it WORKS. ???
I am absolutely clueless.

Defender only as AV and Ad-blocker count is 0.
Some idea?

January 17, 2015

Permalink

I've gotta ask.

I've been using tor almost ever since it began for communication purposes. I'm still around so yes, it is efficacious - good to see spell-check functional again lol - but now it's time to step up our activities.

Can I use it on the regular internet for making commentary? All non-tor sites - 'cepting this 'un, of course - require a functioning javascript for interaction.

Can our repressive regime, after compelling the isp/media owner to surrender data relating to this activity trace my genuine ip address or does the false ip securely block any and all further enquiries? I'm very much aware that tor net requires javascript to be disabled.

I'd hate to experiment and then find m'self back in goal. lol

Thanks in advance...

There is the possibility of traffic correlation in extreme (?) cases. There is always the risk of zero-day exploits.

I would recommend using multiple layers of security such as: firewall, anti-exploit, anti-logger applications, VPN(s), virtual machines such as Whonix or Qubes + Whonix, a local DNS proxy with wildcard support (like Acrylic DNS) and an ip blocker such as PeerBlock to gain control over (unwanted) connections.

But if you go the extremely secure Qubes + Whonix route, much of this stuff would be unnecessary.

January 17, 2015

Permalink

Anyone else ever notice how shortly after a new release of TBB occurs when just as suddenly there's a new release of NoScript available?
Really makes you think...

There's a new release of noscript every two days or something -- the guy makes his money by putting out frequent new releases and having all his users load his page, with ads in it, on each update.

January 17, 2015

Permalink

First of all i would like to say thanks to the torproject team
for all work and effort you guys put into keeping people safe.

not sure if this is a bug, but tor 4.0.3 has been out for 4 days now
but i haven't got any notice about that in the tor browser.
i think that several days is a bit slow update to notifi people
that there is a new version aviable.

would really appreciate if this could be fixed so that we get the
updates right away. thanks in advence.

January 17, 2015

Permalink

considering that this is a project with opensource help, then all questions about whether anyone has the ability to compromise your browser bundle or the ones about identity - we don't know who is who, anywhere.

That said, and unfortunately, it's probably a good assumption that the NSA/whoever, are also áiding' with the coding, helping them to input backdoors for themselves?

It's what i think, how the final bundle is assessed is never disclosed, so hopefully the Tor Dev Team are more towards the non-compromised view than allowing some.

Sorry it's very early, i'm tired - thanks for all your hard work guys! Keep it up.

Well, we do know all of the people who actually commit code to Tor components.

If you think "open source" means "we merge patches from strangers on the Internet without looking at them", then you're doing it wrong. :)

(Tor Browser is a tough case here though, because Firefox is enormous and has their own process for deciding who can merge patches.)

January 18, 2015

Permalink

The iphone App "Onion Browser" uses Tor- but is its oversight run by the Tor project?
Was it updated with Tor's most recent update? If it does not belong to Tor do you have a recommendation how one would connect to the internet most securely from a mobile device? Many thanks.

January 18, 2015

Permalink

The old version of TOR worked great. This one doesn´t work at all or loads a page in 10+ minutes. Haven´t had any issues with TOR in years.

January 18, 2015

Permalink

The NoScript context menu isn't workng properly in the new (linux) release. It shows no options apart from general allow/ban globally even after changing the settings in the appearance tab of the options menu. Tried resetting after changing said options and tried to fix it in about:config to no avail. Any suggestions for a temporary fix until this bug is worked out? (I lack the time to register to file a ticket on the bug tracker)

We are not responsible for the NoScript code. You might want to contact Giorgio Maone about that issue. That said if it worked in the past having the NoScript version that introduced the bug would be a helpful information.

For me checking 'Permanent "Allow" commands in private windows' under Options helped.

Otherwise some options are not supposed to be available in private browsing mode.

I had similar problems on Windows, all that was showing up was Temporally allow all this page even though I had the options ticked to show Allow, I reset all the permissions in NoScript then I updated NoScript to version 2.6.9.11, re-imported my previously saved whitelist and it now works.

January 19, 2015

Permalink

Why does Tor send data through 3 relays?
Why not 6 relays? Wouldn't that be more secure?
Although if that were the case using Tor would be a lot slower.

The relevant concern from "A Peel of Onion" by Paul Syverson:

"...in general, with two-hop circuits a compromised entry or exit would immediately know for each connection through it the single other point to attack to reveal the entire route. If the adversary has resources that can be readily mobilized for attacking at some of the nodes in the network when needed, two-hop circuits would make his job much easier than three-hop circuits, for which he would need to simply be lucky in knowing where to strike and when, or would need to keep his resources persistently mobilized everywhere."

I would argue that in a world where Internet connection data is retained, sometimes by legal mandate, that legal authorities monitoring middle relays are in a position to trivially query that data from both the entry and exit relays. The only thing to stop them would be if one of those relays were operating within an uncooperative regime.

January 19, 2015

Permalink

Hi,

what does it mean by permanent "Allow" commands in the command in private window???

February 17, 2015

In reply to gk

Permalink

GK

Since 'Private browsing mode' is the Tor browser default, does this not mean that you are always allowing scripts?

This sounds ridiculous and so I may have got it all wrong, but could you please clarify this point for us all?

Thank you

January 19, 2015

Permalink

I am using a Mac 10.6.8 32-bit system and I am glad that I can still use Tor Browser 4.0.3. But as far as I know the end will come soon. Is an exact date already fixed?

January 19, 2015

Permalink

Tor does work more or less on Windows 7(with often 100 % CPU usage),crashes and very slow on Windows XP,does not start at all on certain popular Linuxes I have tried.For me Tor 4 is almost useless,I have to use 3.6.6 and sick and tired of the "update needed" exclamation mark.Terrible modern programming...

Tor 4.0.3 works normally on Debian 7.8,Altlinux Starter Kits.
On older distros like Mint 16 or Centos 6.3 there are problems
(errors) when I extract tar.xz.If I extract it in Mint 16 only
terminal and tar -xfJz works.In Centos 6.3 extraction in terminal fails.

As far as Windows XP users concerned I advise to disable Web Client service.
After that you can use Tor 4.0.3 with only very rare crashes.

Windows XP SP3 behind a firewall is as safe as Windows 7 and Linux or safer than Linux(with firewalls too).

First of all, you're probably having trouble with Tor Browser, not tor itself. Second, "certain popular Linuxes" doesn't really help troubleshooters; be specific. In fact, give the error in detail. The Windows XP error might not have anything to do with WinXP but the hardware. Does normal Firefox run on it well?

So why not keep using it? I do. Don't upgrade if there are no problems. And yes I believe winxp(x64) os is fine for many purposes. Just have some structural security in your local network.

For both Windows and Tor Browser, you're opening yourself up to known security flaws with using unsupported versions. DON'T use an outdated browser! You shouldn't use Windows XP for anything that connects to the internet (unless you're still on corporate support. If you don't know what that means, you're not.) In general, it's a bad idea that can lead to an attacker easily compromising your computer. In terms of maintaining anonymity, it makes it impossible; an attacker can compromise your system and easily gain access to your identity before doing whatever else they want. Yes, there are ways to mitigate some of these attacks, but by and large the mitigations are complicated solutions the average user isn't going to want to try.

January 19, 2015

Permalink

This is not a complaint but rather a suggestion. I get fed up keep having to redo all my settings every time there is a new TOR version. Main reason is because of all the crap that Mozilla carries with it such as unwanted search engines, google links in about:config, https settings that I am still puzzled about, changing the Mozilla home page and suchlike. Could the developers not create a really stripped down version for those of us who do not want bells and whistles, but just a basic secure browser?

You don't have to redo all your settings with each new Tor Browser version. Download it once, configure it as you please and just use the internal updater. It won't touch your modifications (if so, then this is a bug that needs to get fixed).

January 23, 2015

In reply to gk

Permalink

My point is why do you still retain the automatic google links that firefox browser has. This alone is a security issue let alone all the other things such as 'network.http.sendRefererHeader ' and other settings which can be disabled?

TOR may be great but there still remains the need for a basic version stripped of every potential security leak that firefox creates.

January 19, 2015

Permalink

I guess this sounds weird, I felt weird too. When I installed the new 4.0.3, I installed it in a new folder instead of the default folder which will overwrite my 4.0.2. After I installed 4.0.3, I ran it and went to bridge setting, to my surprise, it didn't show obfs3, instead there is a line under "enter custom bridges", this surprised me, I do not understand how did it come? feels like all my connections will go through that "I am not aware of" relay, which means it captures all my connection information. Can someone help to give me some information how could this happen? thanks.

January 20, 2015

Permalink

Hi,

what does it mean by permanent "Allow" commands in the command in private window???

IS THIS SAFE?

January 20, 2015

Permalink

The test of http://ip-check.info/ with "Allow Script Globally" on NoScript says Local storage is enabled and should be disabled.

It recommends to open about:config and set dom.storage.enabled to "false".

Is this recommended or not? Thanks.

January 24, 2015

In reply to by Anonymous (not verified)

Permalink

"ip-check.info"?

Last I checked, site was a plain, unencrypted, unauthenticated http; not httpS SSL/TLS.

That means when you visit the site, you are at the mercy of your exit node, which can tamper with and manipulate the content.

And yet people continue to take this "ip-check.info" seriously?

Am I missing something here?

i believe the question was "Is this recommended or not?" but not about personal opinion to believe or not. and no need to check when it was clearly typed http://...

January 21, 2015

Permalink

Why does the Tor Browser included with Tails not have all the pluggable transports offered in the non-Tails Tor Browser?

January 23, 2015

Permalink

Update on this attack from 2014: https://blog.torproject.org/blog/tor-security-advisory-relay-early-traf…

https://nakedsecurity.sophos.com/2015/01/23/silk-road-2-0-deputy-arrest…

"A 6-month infiltration of Tor

According to Larson's search warrant, the Silk Road 2.0 investigation has been based on a six-month infiltration attack launched against Tor, the anonymizing service that kept Silk Road 2.0 users anonymous.

From January 2014 to July 2014, agents managed to get what Larson described as "reliable" IP addresses for Tor and for services hidden behind its layers, including Silk Road 2.0. That included its main marketplace URL, its vendor URL, and its forum URL.

Agents used this data to track down Silk Road 2.0's servers, which resulted in the site's takedown in November 2014.

The data was also used to identify another 17 black markets hidden on Tor. Larson didn't give details on these other Tor-hidden markets."

Please share

January 25, 2015

Permalink

Re Mozilla corp. It's about time they were investigated as to how they can afford to give the whole world a free browser without ads paying them. Who pays I wonder? Yet TOR is based on this flawed browser?

And, yes, the fact that Mozilla makes their money* from the likes of Google and Yahoo, should warrant wariness about any claims made concerning "protecting your privacy", etc.

(*enough to pay pretty generous salaries to their top-cats, like most "non-profits")

January 27, 2015

Permalink

Tor is still has security problems, big ones.

I’ve noticed since using Vidalia to see all my connections, that the first connection is always the same one, even if the second and exit IPs change. Even if I log off for days, when I connect again, it always uses the same first IP as before. The only way to change this is to delete the whole installation, and reinstall again, which is a big pain.

If it were not for Vidalia, I would not be able to see this problem, and this problem has been around for about a year now. This never used to happen prior to that time with other versions, and is the same regardless of the PC I use, or which ‘updated’ installation I use.

Has anyone else seen this if they use Vidalia to see which connection is first? No matter how many new IP exits are made, the first connection remains the same, unless I delete the installation, and re-install, then there is a new one, but again, this new one locks again, and never changes, so the problem remains.

This surely must be a major security fault if you always get the same first connection? Are Tor developers even aware of this issue or do they not see it because not many people use Vidalia to see all their connections?

I've also re-installed Vidalia, and it does not influence the first IP, so it is not the problem, the problem is with Tor. Is there a log file that I can delete each session to erase any logs of the first IP?

January 27, 2015

Permalink

Problem loading page on 99,9% of the time.

Should be renamed to Crap Network.

January 31, 2015

Permalink

sth. strange...
i downloaded, verified(ok) and extracted 4.0.3.
the last-modified-date of the newly created folder is 01/01/2000, same with "start-tor-browser"-file, whereas the "browser"-folder has got the actual date...

does it mean the dl is corrupted-although verification was ok???

February 02, 2015

Permalink

hi is chat step safe with tor?i tried chat step with tor but i cannot join or create a room bcz the buttons are unresponsive.

also i get a untrustworthy site message .

February 04, 2015

Permalink

Regarding all the problems with Firefox I wanted to suggest you to move to Pale Moon as a base (www.palemoon.org).

Pale Moon is a more conservative, stripped down, security concerned Firefox fork finely tuned for performance and without the much hated Australis UI. The developers already made a lot of tweaks you are doing to Firefox to make browsing more secure (and even some you don't - for example http://forum.palemoon.org/viewtopic.php?f=24&t=6262), so you could forget about re-doing them yourself and concentrate more on other aspects. They base their browser on older and thoroughly tested versions of Firefox, but still integrate last FF security fixes themselves.

There is a Windows and a Linux version available - both have 32 and 64bit optimized variants but dropped Windows XP support. There is also an ARM processor variant which will continue to support Windows XP and works also on all later versions of Windows, so you could just use this one to cover it all! And there is an Android version too!

Is there anything I'm missing in terms of this not being a suitable browser for Tor?

I would also like to ask you if it is OK to use HTTP nowhere add-on with Tor Browser and the reason you don't include it by default? Same question goes for http://convergence.io.

February 08, 2015

Permalink

I have heard that allowing Frames (about config: Browser. Frames. Enabled true) is a threat to anonymity.

Is this true?

I am sure that we would all welsome your thoughts.

Thanks for all you work.

February 09, 2015

Permalink

I need to use Twitter and it is necessary to enable Javascript. Will this compromise my Tor 4.0.3 Anonymity?

Many Tor Browser users have JavaScript enabled and are doing fine.

There are no known ways currently to use JavaScript to deanonymize you. It does increase the surface area (exposing more security vulnerabilities in the browser), but things like image rendering are bad news there too, and we don't hear about people trying to turn those off.

https://www.torproject.org/docs/faq#TBBJavaScriptEnabled

February 09, 2015

Permalink

OK, I also use a 256 encryption VPN and then open Tor. Does this increase protect and can a VPN of this type be hacked?

February 14, 2015

Permalink

I'm pretty sure Tor Browser users are uniquely identifiable!
I found this bugtracker https://trac.torproject.org/projects/tor/ticket/11949 where developers say it's by design, but to me it seems a pretty bad leak...

The fingerprinting test http://fingerprint.pet-portal.eu knows it's me every time, even if I click on New Identity! And after restarting the browser or even reinstalling it's still me! So as the OP says it looks like my PC is uniquely identifiable even through Tor Browser.

Developers say Tor users are supposed to look the same, but this test shows exactly the opposite! If I run the test on another machine the test generates a different identifier, which of course again persists even when reinstalling Tor Browser. So PC1 has always one identifier and PC2 always the second!

I invite anybody who doesn't believe this to take the test and compare the identifier. Mine is c7ddf2f2639f4af5df92105cadef88d9, is yours the same? Please post your results if possible.

I don't know how the hash is getting generated. They collect the IP address they say.. So, if it goes into the hash as well it is not surprising that you get a different one after you clicked "New Identity" or tested on a different computer.

And no, making Tor Browser users ideally uniform leaks nothing besides the fact that they are using a Tor exit relay which is public information anyway.

February 19, 2015

In reply to gk

Permalink

The hash is being generated according to the fingerprint the browser leaks. Clicking on the "Details" tab gives you an overview of what info did they get from you (tests I ran on other similar pages got even some more info).

Apparently I got misunderstood. Actually I wanted to expose the fact, that I DON'T get a different hash, even if I click on New Identity (so the hash doesn't take the IP in consideration at all). And even after restarting the browser or reinstalling Tor Browser it's still me, meaning I get the same hash - let's say hash1. That would be OK if I got the same hash using the same browser on another PC, but no there I get a different hash - let's say hash2, which is again always the same no matter what I do. This way the testing page always knows which PC I'm on. I didn't change any other settings or installed any plug-in/add-on in neither of browsers, so I suspect it's something hardware related.

Maybe I don't understand something, but I still think Tor Browser users should always get the same hash, no matter what PC they are on.

February 19, 2015

Permalink

why was this file added to tor "terminateprocess-buffer.exe*32*? I noticed in task manager when deleted it closes tor browser, it takes forever now to go on websites.

February 23, 2015

Permalink

Hello,

I would like to setup Tor Browser 4.0.3 to pick an IP address in France. It was easy to do with vidalia, but I don't know how to proceed with the new tor. Could someone help?

Best