New Tor Browser Bundles

The Tor Browser Bundles have all been updated to the latest OpenSSL 1.0.1c. All users are strongly encouraged to update.

https://www.torproject.org/download

Tor Browser Bundle (2.2.35-12)

  • Update OpenSSL to 1.0.1c
  • Update Libevent to 2.0.19-stable
  • Update zlib to 1.2.7
  • Update NoScript to 2.4.1
Anon

May 17, 2012

Permalink

Just tested 2.2.35.12 and it's working fine on Vista.

Keep up the good work!

Cheers.

Anon

May 17, 2012

Permalink

When you type something (at least two words) to the address bar and enter it, it's searching google.

Previously, nothing was happening. Please at least make it Startpage

I can confirm that, on Windows, it also shows the full path when running Pale Moon Portable (12) and using FoxyProxy instead of Torbutton - doesn't appear it's isolated to the Tor Browser Bundle.
Shouldn't be an issue unless you allow scripts to run of course.

> TOR ON WINDOWS IS UNSAFE

... a glitch in TBB that can be easily amended. The elephant in the room is Windows itself. As a proprietary, closed source and partially undocumented OS, Windows is and always will be inherently unsafe. If you look around on the web pages of "Black Viper" or "The elder Geek" you'll find that even competent people are racking their brains to figure out which Windows services do what, which Windows services establish network connections without asking and without giving any indication, which Windows services can be turned off and which can't, etc. etc. Microsoft as well as Apple keep users deliberately in the dark about such matters because secretiveness is part of their business model. It is beyond me, why people would go to such lengths as to install Tor or TBB on inherently insecure operating systems like these. Standard GNU/Linux distributions have no dark corners because they are open and fully documented. If you want to be reasonably sure that Tor delivers the promised anonymity, use one of these.

"Standard GNU/Linux distributions have no dark corners because they are open and fully documented. If you want to be reasonably sure that Tor delivers the promised anonymity, use one of these."

Two questions:

1.) What about BSD?

2.) Does all open source code really get scrutinized that well? How many people actually analyze all it?

+1

Amazing how it's assumed that there is this large shadow crew of MIT geeks burning a candle seven days/nights each week analyzing open source software.

My guess is that the answer to "2)" is "not much and not well"

Geeks f**k around on Twitter and Facebook too.

I have java script off and scripts off, the site just shows blank for me. Do you think it finds my username but just can't show it? Or do you think the javascript off and scripts set to be off globally is blocking it from finding the data?

I also turn off off cookies but had to turn it on to post here.

You're probably in good shape (against this particular issue) if you have javascript off.

No offense, but you have to be pretty dense to use a computer with a username suggestive of your own to browse anonymously. In Windows 7, one can easily change the username by opening "User Accounts." I would suggest a generic username like "Admin." But definitely this should be fixed so it doesn't give snoopers one more data point for identification.

http://pseudo-flaw.net/tor/torbutton/browserfeedwriter-error.html
check it out... it reveals tor folder completly.. for windows users, the username...

I'm getting codesigning failures on 64-bit OSX for the latest bundles (2.2.35-12):

  1. $ codesign -vv TorBrowser_en-US.app<br />
  2. TorBrowser_en-US.app: a sealed resource is missing or invalid<br />
  3. resource modified: /Volumes/xxxx/TorBrowser_en-US.app/Contents/Resources/Docs/changelog

Was the changelog changed after the bundle was signed?

We don't use codesign to sign the TBBs, we use gpg signatures.

We use gpg to sign packages. I don't think we use codesign. Can you point us at some resources for how and why to do it?

The TorBrowserBundle is most definitely codesigned:

  1. $codesign -dvv TorBrowserBundle<br />
  2. Executable=/private/tmp/TorBrowser_en-US.app/Contents/MacOS/TorBrowserBundle<br />
  3. Identifier=org.torproject.TorBrowserBundle<br />
  4. Format=bundle with generic<br />
  5. CodeDirectory v=20100 size=160 flags=0x2(adhoc) hashes=1+3 location=system<br />
  6. Signature=adhoc<br />
  7. Info.plist entries=19<br />
  8. Sealed Resources rules=4 files=13<br />
  9. Internal requirements count=1 size=92

As is Vidalia.app:

  1. $codesign -dvv Vidalia.app<br />
  2. Executable=/private/tmp/TorBrowser_en-US.app/Contents/MacOS/Vidalia.app/Contents/MacOS/Vidalia<br />
  3. Identifier=net.vidalia-project.vidalia<br />
  4. Format=bundle with Mach-O thin (x86_64)<br />
  5. CodeDirectory v=20100 size=34976 flags=0x2(adhoc) hashes=1742+3 location=system<br />
  6. Signature=adhoc<br />
  7. Info.plist entries=16<br />
  8. Sealed Resources rules=4 files=9<br />
  9. Internal requirements count=0 size=12

(The Vidalia.app code signature verifies correctly)

But not TorBrowser.app:

  1. $codesign -dvv TorBrowser.app<br />
  2. TorBrowser.app: code object is not signed at all

The code signatures are not signed via using any certificate. I think a "codesign" build rule was inadvertently enabled.

From Jondo Forum Conceptual Questions and discussions:

Tor bundle ‘browser.cache.memory.enable’ will not stay reset

Not strictly a JD problem but when the Tor bundle (Vidalia 0.2.17) browser (Firefox 12) is opened and the exit is checked with IP Check ( http://ip-check.info/ ) it rates the Cache (E-Tags) as bad. Ok, so you do the thing and the rating changes to good. Next time you launch a Tor session the cache is enabled again. Whats going on?

Checked the regular browser and it stays reset every session every time. Unless you’re aware of the problem you’re broadcasting your identity. Feels like a bug in the bundle?

The fix suggested is not available under windows?

Torbutton -> Preferences -> Security Settings -> Cache -> Block disk and memory cache access during Tor

Using Windows 7.

I dowloaded the Tor browser update. When I change identity, then use duckduckgo ('cause that's what I saw on the Tor site) to find out "what's my ip" (I need to know where the ip is located and I need the IP # to ensure I don't use duplicate IPs in one session) I keep getting:

"IP [ip number] - Anonymous Proxy"

Only very rarely, maybe 1 out of 20 new identities, does is show a city/country.

I've tried editing the torrc to restrict exitnodes to specific IPs, and even when including StrictExitNodes 1, that's being ignored and I still get "Anonymous Proxy."

I have a lot of the IPs written down, which I know used to show locations, but now they aren't, they show "Anonymous Proxy" instead. I have others who use Tor-they as well as I-need to get an identifying location. No other search engine is showing me a location as well as duckduckgo has been able to.

What is the final recipient of my data seeing? "Anonymous Proxy"? I need for the final recipient to believe the data is coming from a real location, and not a proxy.

Also, I tried getting rid of the Tor Browser bundle and cleaning my registry, downloading the obsfproxy (obsfproxy is the actual product I'd like to use) and it's happening with that as well.

Can I get any kind of help on this issue? Sure would appreciate some enlightenment and maybe a way to get the identity to show a location - maybe someone can suggest a better search engine than duckduckgo?

Thanks in advance!

Just a guess, but I believe most of your exit nodes have had a Tor exit notice webpage, DirPort or something else listening on port 80 (HTTP) and DuckDuckGo determines whether to display "anonymous proxy" or a location based on that.

Note: the final recipient CAN potentially find out if you're using Tor, since the list of exit nodes is public info. No way around that other than chaining an additional proxy after Tor but I don't think there's a simple way to do that with Tor Browser Bundle.

To check which country your current exit node is located in: open up Vidalia's network map, load a page, watch which circuit in the list opens up new connections, then click on it and scroll to the last node shown on the right. You could also try other websites that show your location such as geoiptool.com (first result searching DDG for "geoip").

Thanks for the response.

Are you saying the final recipient does or does not see "Anonymous Proxy"? That's what I need to know :) Or does the recipient see just the IP?

FYI--this did not start happening until I downloaded the newest update for Tor Browser. Then I switched over to the obsfproxy and the same occurs there, when it did not the last time I had it downloaded.
I'd prefer to use the older versions if they are available.

And I'm also having trouble making the obsfproxy to NOT show up as my using Tor when I use the link supplied by your organization to test it: https://check.torproject.org/?lang=en-US&small=1&uptodate=1 . Why does that say I'm using Tor when obsfproxy is supposed to make it look like regular traffic, not Tor traffic? I understand the recipient can find out if I'm using Tor, but if using obsfproxy, something changes, right, so it looks more like regular traffic?

I haven't changed a thing, just downloaded the newer version(s) of Tor Browser, then deleted it and downloaded the obsproxy, and still get the same "Anonymous Proxy" results. I never have both downloaded at the same time.

I'd prefer to use the obsfproxy so my traffic looks like regular traffic but can't get that link to ever say that I'm NOT using Tor.

Thanks so much for all your help and all the work you do :) .

As far as I know, by default they only see the IP address of the exit node, but depending on where the data ends up (say, website visitor logs, e-mail message headers) the IP may be checked for more info such as reverse DNS (which often has "tor" or "proxy" written all over it to help shift blame from relay operators in case of abuse) or if it has the HTTP port open, as proxies usually do (which is what I guess DDG does). Tor exits can also be automatically detected with the help of scripts using the public list.

Basically, any recipient could theoretically use at least the same methods as DuckDuckGo does to find out whether the IP should be called "anonymous proxy" or not — whatever those methods are more specifically.

Obfsproxy only attempts to hide Tor usage on your end of the circuit: from your ISP, a spying wireless operator, local proxies and routers etc. From the first hop onwards there is no difference to standard Tor, which also means there should be no difference in what the exit node or final recipient sees.

Ik heb tor browser bundle gedownload met windows 7 maar kan hem niet openen.

Wat moet ik doen? Kan iemand mij helpen?

dank u

sandra

HOW TO CHECK OUTGOING TRAFFIC AND SOME SECURITY ISSUES!

Sometimes we have to configure some applications like yahoo messenger and other instant messengers or browsers with TOR, but we want to know some fool-proof method to know as to where our outgoing traffic is going and whether the application is currently routing the whole traffic through TOR or not.

When I configure any application, I reply on freeway tools like cports or PROCESS HACKER or PROCESS EXPLORER to see where my application is connected. Is it an authentic way to do the same?

1. Please give us some method to check all that. Most of the social activists are not well versed in techniques.

2. Why TOR or TAILS doesn't maintain connection to 4 or 5 nodes instead of just 3 nodes? I think that creating something to route the data through 4 or 5 nodes of different countries will be more secure because it will more likely to be 100% anonymous over internet.

3. Today someone suggested me to your a new TOR/TAILS based application called "AdvOR" or "AdvTOR" or "Advanced Onion Routing" which routes our all internet traffic to any number of nodes (subject to maximum of 10 nodes and that too all belonging to different countries). But since this AdvOR is not certified by your, nor by TOR, we can't rely on that because we can not believe in their claims unless duly recommended by your team. What's your take on it? If they can give us an option to set any number of nodes to route our traffic, why can't you do the same? You are doing a lot of hard work to ensure security of life and liberty to social activists and we want something more and more secure.

4. We have to use many addons on Firefox while using "TAils" and "TOR"; how can we know which addon is safe and doesn't reveal our real IP address?

The problem with TAILS is that it is based on linux which we generally do not use because we are using Windows operating system since our childhood.

Kindly discuss in detail as all the users of TAILS and TOR are supposed to read this thread. Discuss more and more in this thread (post).

5. Facebook has started blocking the profiles of users who are using TOR/TAILS due to constant change in IP address. They compel the users to verify their profiles with cellphone numbers which we can not do because giving cellphone number means giving each and every verified details of ours to facebook and we can be traced easily within a few minutes.

My Exit node seems to be:
Amunet5 (Online)
Location: United States
IP Address: 199.48.147.39
Platform: Tor 0.2.3.13-alpha (git-de73e3692a6d8377) on Linux x86_64
Bandwidth: 7.49 MB/s
Uptime: 42 days 13 hours 7 mins 59 secs
Last Updated: 2012-05-24 15:07:51 GMT

BUT torstatus.all.de shows:
You do not appear to be using Tor
Your IP Address is: 199.48.147.46

Can someone possibly explain this? Thank you.

199.48.147.39 is the IP address that Amunet5 listens on. 199.48.147.46 appears to be the IP address that Amunet5 makes *outbound* connections on.

This "multihome" approach, where big servers like Amunet have a bunch of IP addresses, is quite common.

If websites like torstatus.all.de just look through the list of IP addresses that Tor relays *listen* on, it will never know about 199.48.147.46.

Tools like TorDNSEL and the upcoming TorBEL (see https://gitweb.torproject.org/) aim to do active checks through each exit relay to see where the outbound connections come from, and then export that data at http://exitlist.torproject.org/. That's how check.torproject.org is usually able to recognize multihomed Tor exit relays.

Of course, there's always a small gap between when an address changes and when the exitlist lists it, so the system will never be perfect.

I downloaded Tor from this site & set it up. But I can not use it properly. Please give me using processes.

Download the Tor Browser Bundle, unpack it, run "start tor browser", wait until the Tor Browser window shows up, and then browse with it. That's about all there is to it in terms of making it go.

Of course, it is hard to browse the web safely, and Tor doesn't change that. See https://www.torproject.org/download/download#warning for some suggestions there.