Tor Browser 6.0.8 released

Tor Browser 6.0.8 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

Besides updating Firefox to 45.6.0esr which is fixing important security bugs we ship the latest Tor stable version, 0.2.8.11. HTTPS-Everywhere is updated as well (to 5.2.8) and we make improvements to our default obfs4 bridges.

Here is the full changelog since 6.0.7:

  • All Platforms
    • Update Firefox to 45.6.0esr
    • Update Tor to 0.2.8.11
    • Update Torbutton to 1.9.5.13
    • Update HTTPS-Everywhere to 5.2.8
    • Bug 20809: Use non-/html search engine URL for DuckDuckGo search plugins
    • Bug 20837: Activate iat-mode for certain obfs4 bridges
    • Bug 20838: Uncomment NX01 default obfs4 bridge
    • Bug 20840: Rotate ports a third time for default obfs4 bridges
Anonymous

December 13, 2016

Permalink

I'm still waiting for that "Resize Tor Browser to default size" feature, anyway great work guys!

Adding to that, if I mistakenly double-click on a youtube video... poof! I go to fullscreen mode.
I suppose this reveals my screen resolution?
If so, it would be nice to block the feature.

Maybe in the security slider itself? Maybe even a "no possible way to change the resolution" option in the high security slider?

Interesting. Can it be done in a way that it can be communicated back to the server? Do you have a link to a proof of concept or more information?

Thanks for the links! I wasn't aware of the @media (anti-)feature. It sounds like CSS is well on its way to becoming just as dangerous (at least in terms of fingerprinting) as JavaScript. Thanks also to the poster of the later reply for the ip-check.info link!

I hope the developers can work out a solution, assuming there is one. Does the X11 or Wayland API support any way of permanently locking a normal window's size? Is there any way for this to work properly under a non-floating window manager, e.g. tiling? Is the resolution affected by themes/skins (at the GTK+ level, I guess) that could alter the size of the UI components, or are we just talking about the size of the rendering pane itself (excluding the title/status/tab/address/search bars)? What if the default window size is too large to fit on the screen?

Furthermore, how many other attack vectors like this are out there? Would it be safer in the long run to disable @media and fall back to the simple old-fashioned rules (at least for a given notch on the security slider)?

>ip-check.info

Unencrypted http= no way to authenticate via SSL/TLS cert= putting users at risk (tampering by malicious exit nodes, compromised host server of site, etc.)

Doesn't this make "ip-check.info" suspicious?

This feature is not only on tor everytime you doubleclick on a video on youtube it'll automatically go to fullscreen mode

Forcing constant updates on users is a tyranny of the majority. TOR needs to allow for an opt out of updates. A constant harassing flashing triangle is abuse. Offer an unobtrusive way of opting out of updates.

Alas, this won't happen anytime soon. Stop wanting to use a web browser, and then we'll be able to talk. Until then, you need your browser updates, and it's irresponsible of us to let you be on the Internet without them.

I also liked notification saying that resizing window size might deanonymize user with option to Restore back to Default Size. I think that is valuable information to inexperienced users.

I am not sure if that notification only shows once, or did I somehow close it in a way it doesn't pop back on, and I cant find where in options I could turn it back on.

I miss Restore back to original resolution button, without need to restart browser, since restarting browser closes tor service too and kills other connections via tor network in some cases.

Maybe include that button in Tor button or Menu, or make notification persistent, or at least reset "do not show anymore" for each new browser session.

Anonymous

December 13, 2016

Permalink

RaspBerry PI configured to be a Tor router is much better than Tor Browser.

This make you immune from Firefox exploit, you can use Chrome and Adobe flash player, run malware under Tor in VM too.

InvizBox.com is this, is cheap only $50.

No, this is likely terrible advice -- first because Flash will screw you, and second because routing all your traffic into Tor can mess up your privacy.

For more details, you should read
https://lists.torproject.org/pipermail/tor-relays/2014-October/005541.h…
and then
https://lists.torproject.org/pipermail/tor-relays/2014-October/005544.h…

The right thing to do if you have a separate box for routing your traffic is to set it up to *drop* all traffic that isn't going through Tor properly, and then only correctly configured applications can reach the network at all.

The "here's a magic anonymity box, now you don't have to change any of your behavior and you're magically safe!" model is super dangerous. Be careful out there!

For a scenario where everything on the machine needs to stay anonymous.. you would say what I wrote is not better than Tor Browser?

Also.. this setup makes so even Flash uses Tor.. connection to internet without Tor is impossible.

UDP traffic simply dont work on my laptop.

If you send personally identifiable information out to the internet, just using Tor won't help you in the slightest.
Tor Browser isn't simply "a browser that uses Tor". It was designed in such a way to limit the amount of fingerprintable information that can be used to identify you (or, more specifically: your browser and system).
If you send out an information saying "My name is X" it doesn't matter what channel it travels through. What matters is it reveals who you are to anyone on the other side of that channel.
This is Tor 101.

Also it has different circuits for each website, which is impossible (anyone to confirm?) to achieve using that Anonabox.

This is wrong. The circuit isolation is triggered by the browser using a different socks username/password for different circuits. This works with a Tor running on a different box.

> For a scenario where everything on the machine needs to stay anonymous.. you would say what I wrote is not better than Tor Browser?

If you want all of your machine to stay anonymous then use: Tails (live system), Qubes OS with Whonix, or Subgraph OS.

Raspberry pi is not free but a better solution than forced to buy an expensive computer you cannot afford, just because some people dropped 32 bit support for a browser.
So a working anonymous browsing system on a raspberry pi or lookalike would be a good alternative solution for people that do not live in the great and rich western world.

I use faster Penryn (second generation laptop C2D) with 4gb pc2-6400. i have a heavy firewall running. Craigslist price is about $60 in large urban area. Less if beat up with weak battery.
T400 for less than $80.

XFCE Linux might run TBB faster.
TBB might run OK on faster Merom (first generation laptop C2D) with 3gb. (Latitude D830 or D630 with weak battery, $40 in large urban location)
Thinkpad T61 probably costs a little more.

An early Windows 7 AMD is probably as good.

If you want large display, then buy Conroe C2D such as Optiplex

TBB needs more power than regular Firefox, which runs OK on weak Yonah.

Can't speak for anyone else, but I really don't recommend routing HD video or other high bandwidth traffic over Tor without at least some indication that it is anonymous at all. Relays already generously provide bandwidth for those in need, and in the past have had trouble keeping up with demand. And hogging all that bandwidth for TV is pointless if it is, e.g. sending its serial number, MAC address to the server anyway. But if you do, please consider running a relay to give back some of the bandwidth.

SERIOUS PROBLEM WITH TAILS DONATE PAGE- I hope someone will forward to Tails devs:

In latest Tails 2.9.1
From page at
https://tails.boum.org/donate/index.en.html
clicking-on "donate" button, goes to:
https://www.paypal.com/cgi-bin/webscr
with message:
>Access Denied
>You don't have permission to access "http://www.paypal.com/cgi-bin/webscr" on this server.

Here your approach is to use hardware isolation and always force the traffic to go trough Tor. While it seems a good approach at first, the devil is in the details.

Since the Firefox exploits work on Firefox and not on the tor daemon that is in your SBC(RaspBerry PI) an exploit would compromise your laptop.

Once the laptop is compromised, the traffic still goes trough Tor but:
- Since the attacker controls your laptop, the attacker can identify uniquely, at the exit node the traffic. At this point the attacker still doesn't know where you are located.
- An attacker can monitor all your traffic and access all your files, and with that knowledge try to find your name and position.
- To compute your position, the attacker can use all the laptop's hardware (WiFi, Bluetooth, etc), all the serial numbers (MAC Address, BIOS or UEFI DMI information, various serial number)
- An attacker can use the camera and microphone(s) to gather information on the environment of the laptop.
- An attacker can install persistent malware at the BIOS level or even with higher privileges than that.
- An attacker can try to compromise all the devices you connect to the computer.
- An attacker can try to compromise all accounts you connect to from the computer.

Using physical separation effectively probably requires you do fabricate your own hardware, to avoid all the serial number issues.
Even with that they might not be avoidable entirely:
- CPU might have serial numbers or at least have a way to identify the revision.
- Almost all storage devices uses serial number.

Then if you are the only one using that hardware, you have an issue since you will be deanonymized easily.
You then need to mass produce such hardware, and ensure that it doesn't get compromised at fabrication or shipping.

If some common hardware meet the requirements, and maybe some SBC do(to replace your laptop, not the tor-router ), it would probably work.

The first thing to do, in order to work in this direction, would probably be to:
- Draft precise requirements/specifications
- Review existing hardware, to see if they can meet the specifications.

Actually, it doesn't make you immune to the Firefox exploit, it would just prevent the payload from getting your real IP. Your computer's serial number, MAC address, hostname, etc. would still be sent to home base over Tor.

Except invizibox is a terribly designed "Tor router" which is effectively a scam. It has too many problems to name, both in implementation, and fundamental design. If you actually need a Tor router, you should patch OpenWRT as The Grugq's PORTAL. Or better yet, don't use something crappy like that at all, and use Whonix with a hardware gateway (rather than a VM gateway).

Anonymous

December 13, 2016

Permalink

thanks for another incredibly timely release!

Anonymous

December 13, 2016

Permalink

Thanks for all the great work!

Just a small feature suggestion: make the Torbutton icon display the current security level in some way (e.g. through different coloring or emblems). That way the user is immediately aware of their current security setting before visiting some webpage. I think this would also encourage users to set the security level higher more often.

Anonymous

December 14, 2016

In reply to by Anonymous (not verified)

Permalink

I think complete recoloring, particularity the red icon, would confuse users too much, it would make them think that something is wrong. And the green onion icon is pretty... iconic.

I have in mind something like this:

  • Low: the green onion as it is now
  • Medium-low: add bronze outline around the green onion
  • Medium-high: silver outline
  • High: gold outline