Tor Browser 4.5 is released

The Tor Browser Team is proud to announce the first stable release in the 4.5 series. This release is available from the Tor Browser Project page and also from our distribution directory.

The 4.5 series provides significant usability, security, and privacy enhancements over the 4.0 series. Because these changes are significant, we will be delaying the automatic update of 4.0 users to the 4.5 series for one week.

Usability Improvements


On the usability front, we've improved the application launch experience for both Windows and Linux users. During install, Windows users are now given the choice to add Tor Browser to the Start Menu/Applications view, which should make it easier to find and launch. This choice is on by default, but can be disabled, and only affects the creation of shortcuts - the actual Tor Browser is still self-contained as a portable app folder. On the Linux side, users now start Tor Browser through a new wrapper that enables launching from the File Manager, the Desktop, or the Applications menu. The same wrapper can also be used from the command line.

We've also simplified the Tor menu (the green onion) and the associated configuration windows. The menu now provides information about the current Tor Circuit in use for a page, and also provides an option to request a new Tor Circuit for a site. Tor Browser is also much better at handling Tor Circuits in general: while a site remains in active use, all associated requests will continue to be performed over the same Tor Circuit. This means that sites should no longer suddenly change languages, behaviors, or log you out while you are using them.


Figure 1: The new Tor Onion Menu


Security Improvements


On the security front, the most exciting news is the new Security Slider. The Security Slider provides user-friendly vulnerability surface reduction - as the security level is increased, browser features that were shown to have a high historical vulnerability count in the iSec Partners hardening study are progressively disabled. This feature is available from the Tor onion menu's "Privacy and Security Settings" choice.


Figure 2: The new Security Slider

Our Windows packages are now signed with a hardware signing token graciously donated by DigiCert. This means that Windows users should no longer be prompted about Tor Browser coming from an unknown source. Additionally, our automatic updates are now individually signed with an offline signing key. In both cases, these signatures can be reproducibly removed, so that builders can continue to verify that the packages they produce match the official build binaries.

The 4.5 series also features a rewrite of the obfs2, obfs3, and ScrambleSuit transports in GoLang, as well as the introduction of the new obfs4 transport. The obfs4 transport provides additional DPI and probing resistance features which prevent automated scanning for Tor bridges. As long as they are not discovered via other mechanisms, fresh obfs4 bridge addresses will work in China today. Additionally, barring new attacks, private obfs4 addresses should continue to work indefinitely.


Privacy Improvements


On the privacy front, the 4.5 series improves on our pre-existing first party isolation implementation to prevent third party tracking. First party isolation provides the property that third party advertisements, like buttons, and "mashup" content that is included on one site will only know about your activity on that site, and will not be able to match it to your activity while you are on any other site. In other words, with first party isolation, Facebook, Twitter, and Google+ can't track you around the entire web using their infamous like buttons.

Specifically, in the 4.5 release, we now ensure that blob: URIs are scoped to the URL bar domain that created them, and the SharedWorker API has been disabled to prevent cross-site and third party communication. We also now make full use of Tor's circuit isolation to ensure that all requests for any third party content included by a site travel down the same Tor Circuit. This isolation also ensures that requests to the same third party site actually use separate Tor Circuits when the URL bar domain is different. This request isolation is enforced even when long-lived "HTTP Keep-Alive" connections are used.

We have also improved our resolution and locale fingerprinting defenses, and we now disable the device sensor and video statistics APIs.

New Search Provider


Our default search provider has also been changed to Disconnect. Disconnect provides private Google search results to Tor users without Captchas or bans.

Full Changelogs


Here is the complete list of changes in the 4.5 series since 4.0:

  • All Platforms
    • Update Tor to 0.2.6.7 with additional patches:
      • Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
    • Update NoScript to 2.6.9.22
    • Update HTTPS-Everywhere to 5.0.3
      • Bug 15689: Resume building HTTPS-Everywhere from git tags
    • Update meek to 0.17
    • Include obfs4proxy 0.0.5
      • Use obfs4proxy for obfs2, obfs3, obfs4, and ScrambleSuit bridges
    • Pluggable Transport Dependency Updates:
      • Bug 15265: Switch go.net repo to golang.org/x/net
      • Bug 15448: Use golang 1.4.2 for meek and obs4proxy
    • Update Tor Launcher to 0.2.7.4. Changes since 0.2.7.0.2 in 4.0.8:
      • Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
      • Bug 13271: Display Bridge Configuration wizard pane before Proxy pane
      • Bug 13576: Don't strip "bridge" from the middle of bridge lines
      • Bug 13983: Directory search path fix for Tor Messanger+TorBirdy
      • Bug 14122: Hide logo if TOR_HIDE_BROWSER_LOGO set
      • Bug 14336: Fix navigation button display issues on some wizard panes
      • Bug 15657: Display the host:port of any connection faiures in bootstrap
      • Bug 15704: Do not enable network if wizard is opened
    • Update Torbutton to 1.9.2.2. Changes since 1.7.0.2 in 4.0.8:
      • Bug 3455: Use SOCKS user+pass to isolate all requests from the same url domain
      • Bug 5698: Use "Tor Browser" branding in "About Tor Browser" dialog
      • Bug 7255: Warn users about maximizing windows
      • Bug 8400: Prompt for restart if disk records are enabled/disabled.
      • Bug 8641: Create browser UI to indicate current tab's Tor circuit IPs
        • (Many Circuit UI issues were fixed during 4.5; see release changelogs for those).
        • Bug 13651: Prevent circuit-status related UI hang.
        • Bug 13666: Various circuit status UI fixes
        • Bug 13671: Make bridges visible on circuit display
        • Bug 13672: Make circuit display optional
        • Bug 13881: Localize strings for tor circuit display
        • Bug 13882: Fix display of bridges after bridge settings have been changed
        • Bugs 13891+15207: Fix exceptions/errors in circuit display with bridges
        • Bug 14324: Show HS circuit in Tor circuit display
        • Bug 14866: Show correct circuit when more than one exists for a given domain
        • Bug 14937: Show meek and flashproxy bridges in tor circuit display
        • Bug 15086: Handle RTL text in Tor circuit display
        • Bug 15472: Make node text black in circuit status UI
        • Bug 15510: Close Tor Circuit UI control port connections on New Identity

        -->

    • Bug 9387: Security Slider 1.0
      • Include descriptions and tooltip hints for security levels
      • Notify users that the security slider exists
      • Make use of new SVG, jar, and MathML prefs
    • Bug 9442: Add New Circuit button to Torbutton menu
    • Bug 9906: Warn users before closing all windows and performing new identity.
    • Bug 10216: Add a pref to disable the local tor control port test
    • Bug 10280: Strings and pref for preventing plugin initialization.
    • Bug 11175: Remove "About Torbutton" from onion menu.
    • Bug 11236: Don't set omnibox order in Torbutton (to prevent translation)
    • Bug 11449: Fix new identity error if NoScript is not enabled
    • Bug 13019: Change locale spoofing pref to boolean
    • Bug 13079: Option to skip control port verification
    • Bug 13406: Stop directing users to download-easy.html.en on update
    • Bug 13650: Clip initial window height to 1000px
    • Bugs 13751+13900: Remove SafeCache cache isolation code in favor of C++ patch
    • Bug 13766: Set a 10 minute circuit lifespan for non-content requests
    • Bug 13835: Option to change default Tor Browser homepage
    • Bug 13998: Handle changes in NoScript 2.6.9.8+
    • Bug 14100: Option to hide NetworkSettings menuitem
    • Bug 14392: Don't steal input focus in about:tor search box
    • Bug 14429: Provide automatic window resizing, but disable for now
    • Bug 14448: Restore Torbutton menu operation on non-English localizations
    • Bug 14490: Use Disconnect search in about:tor search box
    • Bug 14630: Hide Torbutton's proxy settings tab.
    • Bug 14631: Improve profile access error msgs (strings for translation).
    • Bugs 14632+15334: Display Cookie Protections only if disk records are enabled
    • Bug 15085: Fix about:tor RTL text alignment problems
    • Bug 15460: Ensure FTP urls use content-window circuit isolation
    • Bug 15502: Wipe blob: URIs on New Identity
    • Bug 15533: Restore default security level when restoring defaults
    • Bug 15562: Bind SharedWorkers to thirdparty pref
  • Bug 3455: Patch Firefox SOCKS and proxy filters to allow user+pass isolation
  • Bug 4100: Raise HTTP Keep-Alive back to 115 second default
  • Bug 5698: Fix branding in "About Torbrowser" window
  • Bug 10280: Don't load any plugins into the address space by default
  • Bug 11236: Fix omnibox order for non-English builds
    • Also remove Amazon, eBay and bing; add Youtube and Twitter
  • Bug 11955: Backport HTTPS Certificate Pinning patches from Firefox 32
  • Bug 12430: Provide a preference to disable remote jar: urls
  • Bugs 12827+15794: Create preference to disable SVG images (for security slider)
  • Bug 13019: Prevent Javascript from leaking system locale
  • Bug 13379: Sign our MAR update files
  • Bug 13439: No canvas prompt for content callers
  • Bug 13548: Create preference to disable MathML (for security slider)
  • Bug 13586: Make meek use TLS session tickets (to look like stock Firefox).
  • Bug 13684: Backport Mozilla bug #1066190 (pinning issue fixed in Firefox 33)
  • Bug 13788: Fix broken meek in 4.5-alpha series
  • Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
  • Bug 13900: Remove 3rd party HTTP auth tokens via Firefox patch
  • Bug 14392: Make about:tor hide itself from the URL bar
  • Bug 14490: Make Disconnect the default omnibox search engine
  • Bug 14631: Improve startup error messages for filesystem permissions issues
  • Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
  • Bug 14937: Hard-code meek and flashproxy node fingerprints
  • Bug 15029: Don't prompt to include missing plugins
  • Bug 15406: Only include addons in incremental updates if they actually update
  • Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
  • Bug 15502: Isolate blob: URI scope to URL domain; block WebWorker access
  • Bug 15562: Disable Javascript SharedWorkers due to third party tracking
  • Bug 15757: Disable Mozilla video statistics API extensions
  • Bug 15758: Disable Device Sensor APIs

  • Linux

    • Bug 12468: Only print/write log messages if launched with --debug
    • Bug 13375: Create a hybrid GUI/desktop/shell launcher wrapper
    • Bug 13717: Make sure we use the bash shell on Linux
    • Bug 15672: Provide desktop app registration+unregistration for Linux
    • Bug 15747: Improve start-tor-browser argument handling

  • Windows

    • Bug 3861: Begin signing Tor Browser for Windows the Windows way
    • Bug 10761: Fix instances of shutdown crashes
    • Bug 13169: Don't use /dev/random on Windows for SSP
    • Bug 14688: Create shortcuts to desktop and start menu by default (optional)
    • Bug 15201: Disable 'runas Administrator' codepaths in updater
    • Bug 15539: Make installer exe signatures reproducibly removable

  • Mac

    • Bug 10138: Switch to 64bit builds for MacOS

    Here is the list of changes since the last 4.5 alpha (4.5a5):

    • All Platforms
      • Update Tor to 0.2.6.7 with additional patches:
        • Bug 15482: Reset timestamp_dirty each time a SOCKSAuth circuit is used
      • Update NoScript to 2.6.9.22
      • Update HTTPS-Everywhere to 5.0.3
        • Bug 15689: Resume building HTTPS-Everywhere from git tags
      • Update meek to 0.17
      • Update obfs4proxy to 0.0.5
      • Update Tor Launcher to 0.2.7.4
        • Bug 15704: Do not enable network if wizard is opened
        • Bug 11879: Stop bootstrap if Cancel or Open Settings is clicked
        • Bug 13576: Don't strip "bridge" from the middle of bridge lines
        • Bug 15657: Display the host:port of any connection faiures in bootstrap
      • Update Torbutton to 1.9.2.2
        • Bug 15562: Bind SharedWorkers to thirdparty pref
        • Bug 15533: Restore default security level when restoring defaults
        • Bug 15510: Close Tor Circuit UI control port connections on New Identity
        • Bug 15472: Make node text black in circuit status UI
        • Bug 15502: Wipe blob URIs on New Identity
        • Bug 15795: Some security slider prefs do not trigger custom checkbox
        • Bug 14429: Disable automatic window resizing for now
      • Bug 4100: Raise HTTP Keep-Alive back to 115 second default
      • Bug 13875: Spoof window.devicePixelRatio to avoid DPI fingerprinting
      • Bug 15411: Remove old (and unused) cacheDomain cache isolation mechanism
      • Bugs 14716+13254: Fix issues with HTTP Auth usage and TLS connection info display
      • Bug 15502: Isolate blob URI scope to URL domain; block WebWorker access
      • Bug 15794: Crash on some pages with SVG images if SVG is disabled
      • Bug 15562: Disable Javascript SharedWorkers due to third party tracking
      • Bug 15757: Disable Mozilla video statistics API extensions
      • Bug 15758: Disable Device Sensor APIs
    • Linux
      • Bug 15747: Improve start-tor-browser argument handling
      • Bug 15672: Provide desktop app registration+unregistration for Linux
    • Windows
      • Bug 15539: Make installer exe signatures reproducibly removable
      • Bug 10761: Fix instances of shutdown crashes

    Post update 4/28/2015: Provide screenshots of the Tor Onion menu and Security Slider.
    Post update 4/28/2015: Add section headers.

  • Anonymous

    April 28, 2015

    Permalink

    sha256.txt (from https://dist.torproject.org/torbrowser) says:
    d8b31cea99a3497f4630a922b4985505bbcb851190de02a2a500fab4193354c6 torbrowser-install-4.5_en-US.exe

    my downloads from dist and download/download-easy.html.en
    checked with hashmyfiles:
    a3219f359bf3f04056a1c8796d103d1bc2e0bd24f181538f70564b3d19532c3a torbrowser-install-4.5_en-US.exe

    gpg says 'Good Signature'

    Anyone has any ideas why this is happening? I have the same problem. Should I go ahead and use the file that i just downloaded, not caring about the mismatch of the signatures?

    Anonymous

    April 28, 2015

    Permalink

    Where did the proxy settings tab go?

    Where are the settings at?

    Is there a different SOCKS Host number and Port now?

    Is it still SOCKS 5 or something different?

    Thank You:)

    Anonymous

    April 28, 2015

    Permalink

    Is [redacted] the default entry (guard) relay? [redacted] based IP. Just it always seems to enter Tor thru this IP. Is this by design?

    That is your "Guard" node. It is by design. See https://www.torproject.org/docs/faq.html.en#EntryGuards.

    You should not post that IP publicly, because knowing that IP gives an adversary a lot of ways to deanonymize you. I set a bad example by doing it in the screenshot, but I didn't want to confuse people with a weirdly redacted IP. The IP from the screenshot is not my normal Guard node, however. I would never publish my real Guard like that.

    I redacted your Guard IP for you.

    is deleting tor's state file the best (or only?) way to force it to pick a new guard?

    I would like to be able to manually add and remove nodes from my guard list without restarting tor and breaking all of my open circuits, via a control port interface, but I haven't found a way to.

    Anonymous

    April 28, 2015

    Permalink

    Norton anti virus flags the download saying that it is probably a virus. (Not looking for a debate about anti virus software, just thought someone should probably be made aware of this.)

    Yeah, nice illustration about the available Mac knowledge on older Mac's.

    "not working on macpro"

    Assuming that you're talking about an older Mac (not the Black Mac Pro).
    All Intel Mac's with the right Mac OS X can run 64 bit applications, even the so called 32 bit early 2006 "Core Duo" Mac's (Macbooks for example) can run Firefox in 64 bit mode perfectly well (but not 'clone' Torbrowser).

    The alternative advertised (nice illustration of Mac knowledge again), running Tails from USB for example is far from a user-friendly experience : who did get it actually get it to work? I didn't.
    I'm really interested in who did on these Mac's (and which usb brands).
    I know there must be a lot of people that have this dropped support problem, there still must be a lot of Mac's from that period running. Probably even more in places where people cannot afford newer machines.
    Is this a Tails discussion? No actually not because it was advised as an alternative by Torproject. An alternative that is in my opinion not an alternative because it ain't working.

    Anyhow, this dropping Mac support discussion is a lost discussion, sad but true.

    On a Quad Core (or More Core) Mac Pro you can easily run Torbrowser and also Tails (at least from dvd) as well.
    Please make sure you run at least OS X 10.6 on your Intel Mac anyway.
    From different perspectives, functionality, 3rd party application support and security reasons this is the minimal OS X you should run on that or any Intel Mac.

    The advantage you get is that it will use the 64 bit possibilities and will give you a faster running Mac as well, even on a early 2006 Core Duo Mac.

    So, could it be that you're still running Mac OS X Leopard 10.5 or even Tiger 10.4?
    Just upgrade to Mac OS X Snow Leopard 10.6 anyhow.
    It's just worth it to do that, and if you were not on Snow Leopard yet this could be the cause of your problem because with Leopard you only can run applications in 32 bit mode and the new Torbrowser is 64 bit.

    So, with Snow Leopard you can also run applications in 64 bit mode, even on a 32 bit Mac (unless application developers somehow manage to drop support while even mother-Firefox is still supporting it. Still a safe browser on Mac's too).

    Beside the critics part, there is also a special thanks part (gotcha) :
    The 4.5 alpha version was already great from the beginning.
    The definite 4.5 version is even better.
    For example, finally fixed the Info Window and Security Information!

    Very good job,
    yes developers, I'm very pleased with that and thank you for that and the many more nice to have improvements.

    Anonymous

    April 28, 2015

    Permalink

    Hey,

    When trying to install on arch from the aur https://aur.archlinux.org/packages/tor-browser-en/

    I get this

    ==> Verifying source file signatures with gpg...
    tor-browser-linux64-4.5_en-US.tar.xz ... FAILED (unknown public key 2E1AC68ED40814E0)
    ==> ERROR: One or more PGP signatures could not be verified!
    ==> ERROR: Makepkg was unable to build tor-browser-en

    AUR packages are community contributed so the Arch Developers have nothing to do with this. The AUR package just pulls down the official tarballs and tries to verify the signature, so the signing key needs to be in the user's keyring, or the verification step will fail.

    This is documented in the deep dark most secret depths of the Arch Wiki: https://wiki.archlinux.org/index.php/Tor#Web_browsing

    There's also a way to get makepkg to skip checking PGP signatures (not recommended), hidden in the man page, but who has time to read documentation?

    Hey,

    can you just import the key?

    gpg --recv-keys 416F061063FEE659

    This is for vidalia as it had the same problem, after I imported the key everything went smoothly. Also why has support for vidalia stopped?? It was so easy to use and make relays.

    Anonymous

    April 28, 2015

    Permalink

    Why did you base it on firefox 31.6.0 and not the latest 37.0.2 ????

    31.6.0 is the current "Extended Support Release": https://www.mozilla.org/en-US/firefox/organizations/

    It still receives security patches but no other changes for 9 month intervals. This makes it easier for us to audit Firefox for privacy issues, as well as maintain our 60+ patches without needing to completely rewrite them every 6 weeks.

    We will be switching to Firefox 38 (the next Extended Support Release) this summer.

    Hrmm. According to https://github.com/asciimoo/searx/wiki/possible-search-engines, searx already uses Disconnect on the back end, at least for some stuff.

    I admit searx looks pretty nice as far as DIY search engine projects go, but at the end of the day it is just another one hop proxy for other major search engines. It seems like something we could add to the omnibox as an option, though. If you file a ticket with a patch or a search plugin xml file, I'd probably merge it. But I'm not convinced that it is overall a better default option than Disconnect at this point.

    Please don't change Disconnect if there are no issues with it as a company. I really like the search results from Disconnect, while search results from StartPage sucked big time.

    As a no-cellphone-having tor-for-everything privacy vegan, i've got to say: if your distrust of google causes you boycott things just because they're developed by ex-Google employees... wow. good luck finding an operating system!

    I wouldn't trust disconnect.me not to track me any more or less than whoever is running searx.me (though with tor, any site's tracking ability shouldn't be able to extend across browsing sessions). If anyone wants to provide a cpatcha-free way to search Google I'll gladly take it.

    Unfortunately both searx.me and disconnect.me are giving me lots of non-matching results for an exact-phrase search I just did ("who compiles the compilers") which using Google directly does not.

    Searx is appealing because it is free software, of course, but Tor Browser shouldn't switch to any hosted instance of it without ensuring the operator is ready for the quantity of traffic that being the default entails.

    Anonymous

    April 28, 2015

    Permalink

    New 4.5 version does not work with HTTP/S proxy, that is bad. Staying at previous 4.0.8.

    It seems that socks autenticators are deterministic, not random. It does not isolate streams of different torbrowsers if they surf the same sites.

    What do you mean HTTP/S proxy? Where are you configuring this option in 4.0.8?

    The SOCKS authenticators don't need to be random. Tor uses them to provide isolation, not to choose which nodes to use. It still chooses randomly among all available nodes, it just keeps the streams on separate circuits if the auths are different.

    > What do you mean HTTP/S proxy? Where are you configuring this option in 4.0.8?

    Privoxy for example. Green onion button - Preferences - Proxy Settings - HTTP/SSL Proxy. (Although Edit - Preferences - Advanced - Network - Settings does not apply the options for some cause). I know that this is not the recommended use case, but prefer using HTTP proxy for the sake of statistics (torbrowser does not give detailed log of HTTP-session up to URL) and a separate chrooted Tor daemon which is more secure. I understand that HTTP proxy is quite uncommon option among majority of Tor users, but do not think that it is completely useless and should be excluded.

    > The SOCKS authenticators don't need to be random. Tor uses them to provide isolation, not to choose which nodes to use.

    Multiple Tor users may be created on the same system so their separate profiles do not interfered. Their traffic can be interleaved over different SocksPorts, but using IsolateSOCKSAuth instead is more convenient. However If authenticators are deterministic, these system users do not have different chains of nodes when browsing the same sites, and stream isolation is not provided for them in this case.

    I think the commenter is saying, in the second paragraph, that if you connect multiple Tor Browser instances to the same tor daemon, then tabs with the same urlbar domain on different TB instances will not get isolated circuits; and the commenter proposes adding a unique/random per-TB-instance prefix to the Socks credentials.

    Anonymous

    April 28, 2015

    Permalink

    I've 2 questions regarding the use of 4.5 version:

    (1) After extracting tor-browser-linux64-4.5_en-US.tar.xz, how do I launch Tor Browser using a terminal in Ubuntu?

    (2) How can I view real-time logging when using the latest 4.5 Tor Browser?

    I wish to see the such a list of messages when connecting to Tor when I am using version 4.5. How do I go about doing it?

    Run ./start-tor-browser.desktop --help.

    At the bottom, you will see:

    Tor Browser Script Options
    --verbose Display Tor and Firefox output in the terminal
    --log [file] Record Tor and Firefox output in file (default: tor-browser.log)
    --detach Detach from terminal and run Tor Browser in the background.
    --register-app Register Tor Browser as a desktop app for this user
    --unregister-app Unregister Tor Browser as a desktop app for this user

    You probably want to run either ./start-tor-browser.desktop --verbose, or ./start-tor-browser.desktop --log. You can also do both at the same time.

    I had the same question (and surely many other would have it) and was kinda hard to find this answer though (thanks!)... I think it would be good to put this on the main post.

    Anonymous

    April 28, 2015

    Permalink

    Thanks for the update.

    But I have a problem with the meek.

    It works fine wih windows 8.1,but on another computer with windows 7 ultimate ,the meek doesn't work, the tor stuck in the connecting screen.And other things like obfs4 seems to work

    Is it just me or something is wrong?

    What does the tor log say? After it fails to connect, there should be a button that offers to copy the log to the clipboard. From there you can paste it into a text program and see what it says. If you see a line like this:
    We were supposed to connect to bridge '0.0.2.0:2' using pluggable transport 'meek', but we can't find a pluggable transport proxy supporting 'meek'. This can happen if you haven't provided a ClientTransportPlugin line, or if your pluggable transport proxy stopped running.
    If you see a line like that, something is wrong, and you can help us by opening a ticket on the bug tracker.

    While it is trying to connect, open the Windows task manager and see if you have processes named meek-client-torbrowser.exe and meek-client.exe.

    We can help you debug this. It will help if you can open a ticket. Create an account at https://trac.torproject.org/projects/tor/register and then make a new ticket at https://trac.torproject.org/projects/tor/newticket.

    Anonymous

    April 28, 2015

    Permalink

    Sorry to put it over this channel, have no account on the mailing list.
    Apparantly jeffstorrelay $A1BF187A0DCC05EFC6EC08667E69AF8CC9DB1E81 tried to degrade a SSL connection to a server. Connection was not possible due to incompatible ciphers. After changing the exit node the connection was possible as it has been many times before.

    Anonymous

    April 29, 2015

    Permalink

    I got to say that this 4.5 version is a very good release due to all the new updates and improvements!

    Anonymous

    April 29, 2015

    Permalink

    It's good and all we know the exact IP addresses of the circuits but how exactly is this done? Without the relay knowing which node is what?

    It shouldnt be possible for a user to know all the circuits in the circuit right? other than the entry/exit not the middle node? Or am I missing something

    I dont want to be a target in the future just because somehow a relay might know which node is connecting to which.

    Torbutton is asking your local Tor client about circuit information and your local Tor client is giving that information back. It needs to know this (= the guard, the middle and the exit node) as it is building the circuit in the first place. This all happens on your computer and the relays themselves are not involved in selecting a path through the Tor network.

    Anonymous

    April 29, 2015

    Permalink

    I love your Work but your priority should be to enhance security with stronger encryption. Thats THE main Tor's weakness.

    there is more and more abuse of power even in "free" countries like France. Tor have to react.

    No matter what algorithm you use, if an attacker controls both Entry and Exit node then you're deanonymized.

    What Tor needs is to attract more people who are willing to run Exit-nodes.

    Tor users need to find trusted friends who live in free counties and are willing to run a private bridge for the censored friend.

    sure, and that's why i use a bridge in a trusted country ( we never cant be 100% sure..) and blacklist some exitnodes .
    I really dont understand why Tor doesnt take the encryption problem seriously.
    I suppose central agency can decrypt tor today, the NSA anyway, so if your enemy know the right person, tor become useless.