Tor Browser 7.0.1 is released

Tor Browser 7.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 7.0 series, updating Firefox to 52.2.0esr, Tor to 0.3.0.8, and HTTPS-Everywhere to 5.2.18. Additionally, we worked around an annoying freezing of Tor Browser which is due to a NoScript bug and made the security slider window slightly larger.

Here is the full changelog since 7.0:

  • All Platforms
    • Update Firefox to 52.2.0esr
    • Update Tor to 0.3.0.8
    • Update Torbutton to 1.9.7.4
      • Bug 22542: Security Settings window too small on macOS 10.12
    • Update HTTPS-Everywhere to 5.2.18
    • Bug 22362: NoScript's XSS filter freezes the browser
  • OS X
    • Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0
Anon

June 15, 2017

Permalink

I just posted a comment (reply to another comment).

Besides the expected:

Your comment has been queued for review by site administrators and will be published after approval.

I also got this:

Warning: mkdir(): File exists in Drupal\Component\PhpStorage\FileStorage->createDirectory() (line 157 of core/lib/Drupal/Component/PhpStorage/FileStorage.php).

Anon

June 15, 2017

Permalink

Can't connect with bridges after updating from 700 to 701. Started fine before update and worked before I did the update, now stuck on the connecting window. It was working literary 5minutes earlier. custom obf4 bridges. win 32-bit. Now I have to connect w/o bridges or it wont work. This happened about a year ago too after an update.

16.6.2017 04:24:59.900 [NOTICE] Ignoring directory request, since no bridge nodes are available yet.
16.6.2017 04:24:59.900 [NOTICE] Bootstrapped 5%: Connecting to directory server
16.6.2017 04:25:00.100 [NOTICE] Bootstrapped 10%: Finishing handshake with directory server
16.6.2017 04:25:00.600 [NOTICE] Bootstrapped 15%: Establishing an encrypted directory connection
16.6.2017 04:25:00.700 [NOTICE] Bootstrapped 20%: Asking for networkstatus consensus
16.6.2017 04:25:00.800 [NOTICE] Bootstrapped 50%: Loading relay descriptors
16.6.2017 04:25:02.300 [WARN] Proxy Client: unable to connect to xxxxxxxxxxxxxxx ("general SOCKS server failure")
16.6.2017 04:25:07.100 [WARN] Proxy Client: unable to connect to xxxxxxxxxxxxxxx ("general SOCKS server failure")
16.6.2017 04:25:40.000 [NOTICE] Closing no-longer-configured Socks listener on 127.0.0.1:9150
16.6.2017 04:25:40.000 [NOTICE] DisableNetwork is set. Tor will not make or accept non-control network connections. Shutting down all existing connections.
16.6.2017 04:25:40.000 [NOTICE] Closing old Socks listener on 127.0.0.1:9150
16.6.2017 04:25:40.900 [NOTICE] Delaying directory fetches: DisableNetwork is set.

Anon

June 15, 2017

Permalink

How do I change my IP without clicking "new identity", "New Tor Circles for this Site", or waiting some minutes?

Anon

June 16, 2017

Permalink

Many thanks for providing Tor, Tor Browser, Tor Messenger &c!

It seems that your web page listing signing keys

https://www.torproject.org/docs/signing-keys.html.en

is seriously out of date. Both keys listed for Roger D appear to have been revoked (but this is "unverified", says at least one key server). The first key listed for Peter P also appears to have been revoked. And Jacob A is listed as signing some Tor products, but if memory serves he is no longer with Tor Project.

Also, when try to post page appears to reload endlesslly, so the new blog format may not be working correctly.

Hi, arma, thanks for opening the bug report.

> (It is fine and reasonable to have old keys on the list, since the goal of the page is to describe all of the keys that have signed all of the packages over time.)

Fair enough, but you should state this on the page and should probably explain that Tor Project knows some of the keys have expired.

It would be of great interest to hear anything you are willing to share about why the keys were revoked. I am guessing "was tired, goofed, revoked key in abundance of caution" rather than "uncovered unambiguous evidence of GRU messing with my keyring", but as World+Dog finally appears to recognize, the latter scenario should never have been regarded as highly implausible.

Neither of my keys have been revoked. The 4096-bit one has a subkey, and the subkeys periodically expire and I replace them with fresh ones. It's possible that your pgp or gpg or whatever is displaying the expired ones as revoked, when really it should just be saying "expired".

It's also possible you have fake keys that claim to be mine but aren't. Some years ago some jerk published fake keys (i.e. keys that collide in the last 8 hexes) for all of the top 1000 pgp keys. See e.g. https://lwn.net/Articles/698203/

Interesting discussion, thanks--- I am rarely able to read LWN so a working link was a treat! I was aware of the short key-id issue but we should all probably do more to make more Tor users aware of it.

I have a link for you too. The Intercept is publishing an important series of stories which I hope Tor leadership will read, since I think it supports the view I have expressed for many years that ordinary citizens are far more likely than most people yet acknowledge to be targeted by some pretty frightful operatives, and reveals the urgency of strengthening Tor to help ordinary citizens protect themselves from political stalking and other targeted surveillance:

https://theintercept.com/2017/06/21/as-standing-rock-camps-cleared-out-…
As Standing Rock Camps Cleared Out, TigerSwan Expanded Surveillance to Array of Progressive Causes
Alleen Brown, Will Parrish, Alice Speri
21 Jun 2017

I note that people with all kind of political views can be targeted in such operations--- the takeaway of the Intercept series, I think, is that citizens need not encourage even modestly illegal actions (e.g. sit-ins) or even to be very "radical" to be personally targeted by all kinds of groups, potentially including non-governmental hate groups as well as corporate or "establishment" political operatives, and of course various "security authorities".

I worry about the authenticity of security-critical keys used to sign Tor products and other personal cybersecurity products. No doubt you would agree that the Web of Trust has many deficiencies (e.g most Tor users lack opportunity to attend key-signing parties with Tor employees who sign packages), but it seems no-one has yet developed a credible improvement and I think that has to change as governments (and . I recognize that "absolute confidence" is a chimera, but ask developers to recognize that "defense in depth" against malicious schemes employed by governments and other attackers hardly requires large quantities of Unobtainium to be effective. The goal should be significantly hinder attackers while maintaining a reasonable level of convenience for users. Even a very sophisticated state-sponsored attacker, like any kind of predator, is likely to focus on "low hanging fruit", in the context of what governments and megacorporations view as a global environment rich with multiple potential threats to their wealth and power.

I love the notion of using onion services to thwart governments and other attackers using MITM type schemes to trojan software as it is being downloaded (potentially altering signing keys and detached signatures to mask a malicious modification to a software package). As Tor Messenger matures, is it possible that some brainstorming might reveal a useful scheme exploiting TM and/or onion services to improve user confidence in authenticity of signing keys? (Ideally, not just for Tor Project but for any FOSS project.)

Can you ask the Tails developers to integrate the Tor-keys in Tails. It would be a smart! possibility to test the integrity of an TBB download.

"[...] integrate the Tor-keys in Tails."

Yesss, please do that. I propose that,too.
It's comical to trust the process of verifiying TBB download on the same PC with installed operating system, if you don't trust this downloaded TBB.exe with fingerprint integrated -sha1(-:.
The possibility to test this TBB download with good verified Tails would help more than a little bit.

Plus one. This is exactly the kind of easy measure which can improve user confidence with very little extra trouble to developers.

Well, this is certainly an awkward development:

From:

https://www.torproject.org/about/sponsors
...
Active Sponsors in 2017:
...
SRI International (2011-2017)

And from

https://wikileaks.org/vault7/#Cherry%20Blossom

Today, June 15th 2017, WikiLeaks publishes documents from the CherryBlossom project of the CIA that was developed and implemented with the help of the US nonprofit Stanford Research Institute (SRI International).

CherryBlossom provides a means of monitoring the Internet activity of and performing software exploits on Targets of interest. In particular, CherryBlossom is focused on compromising wireless networking devices, such as wireless routers and access points (APs), to achieve these goals. Such Wi-Fi devices are commonly used as part of the Internet infrastructure in private homes, public spaces (bars, hotels or airports), small and medium sized companies as well as enterprise offices. Therefore these devices are the ideal spot for "Man-In-The-Middle" attacks, as they can easily monitor, control and manipulate the Internet traffic of connected users. By altering the data stream between the user and Internet services, the infected device can inject malicious content into the stream to exploit vulnerabilities in applications or the operating system on the computer of the targeted user.
...

Interesting!

We've used them as a pass-through funder for two grants:
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorF
https://trac.torproject.org/projects/tor/wiki/org/sponsors/SponsorR
https://lists.torproject.org/pipermail/tor-talk/2015-April/037538.html
and that second one is ending in August.

It looks like SRI is a big place, and they do some harmful things. I'm still happy they've helped us handle the bureaucracy of receiving government funding.

As a final link you might find interesting, check out
https://blog.torproject.org/category/tags/form-990

Hi arma, thanks much for the prompt reply.

I think you once told me what "pass-through" means, but that was years ago and I have forgotten the definition.

Agree that these government think-tanks and even some federal agencies tend to be huge institutions which have stuck their fingers in many pies, not all of them very savory.

Still, I hope this will serve as a reminder to Shari and all of the continued urgent requirement to struggle to move away from USG funding to user funding. By this point I expect a depressing report on the result of the funding drive, but even disappointing numbers might help to make some users realize that the Project really needs them to find some way to send money, precisely in order to avoid being "captured" by USG. Which is involved in all manner of "effects operations" which run completely contrary to Tor Project goals. (And to some of the USG's occasionally benign activities, no doubt.)

While I have your ear, I hope Shari is also continually working to strengthen "political" alliances which can perhaps fight off the very real danger that unbackdoored cryptology will simply be outlawed in USA, EU, or both. As I trust you both know,

o embattled PM May continues to call for backdoors in all UK crypto,

o former DNI Clapper (he of the "least untruthful answer" while testifying under oath) and other "moderate" figures [sic] continue to demand US backdoors,

o similar insistent demands in DE and other EU countries continue.

So this is a political battle which Tor Project simply cannot ignore, because if such mandates become law in nation X, Tor will no longer be legal to use in nation X. Unless TP decides to abandon the "no backdoor" vow. Which I hope will never happen, particularly if it is done *secretly*, for example after a *secret* law with a *secret* mandate forcing all technologies to *secretly* incorporate *secret* backdoors, which seems to be what Clapper & co. are really demanding when they make the nonsensical claim that society can have strong crypto and instant accessibility (to the "security authorities') at the same time.

It's likely most of the five eyes and partners were also pressured to loosen up the public as they suddenly started talking about backdooring as well as companies/manufacturers/citizens handing over crypto keys at the same time.

good

02:44:50.645 IndexedDB Maintenance finished with error: NS_ERROR_NOT_AVAILABLE: ActorsParent.cpp:18869 1 (unknown)

13:24:12.532 Unknown source for one-off search: paste 1 BrowserUsageTelemetry.jsm:286
recordSearch resource:///modules/BrowserUsageTelemetry.jsm:286:15
BrowserSearch.recordOneoffSearchInTelemetry chrome://browser/content/browser.js:3856:7
handleSearchCommandWhere chrome://browser/content/search/search.xml:401:15
handleSearchCommand chrome://browser/content/search/search.xml:362:11
BrowserSearch.pasteAndSearch chrome://browser/content/browser.js:3778:5
oncommand chrome://browser/content/browser.xul:1:1

my browser does not open after the update. im using windows 10 and no screen appears or anything else after the update. ???????

Me too. Took 7.01 out, reboot, put it back reboot. No error, nothing happens. Tried a Launch from the app folder, nothing happens. Tried the 7.5a test one, nothing happens. If I was not paranoid, I'd think MS had shut Tor out. Er...

Try uninstalling your antivirus/firewall software, it often prevents Tor Browser from starting if it ship new tor versions as the recent major version did. Disabling it might not be enough for what it is worth.

Ok, I realise ip-check.info needs to fix their test for authentication... but why is it that the unique ID the test shows never changes even after manually selecting a new tor circuit?

Can someone please tell me if this is purely a result of outdated code on their site or is there also some bugs in the client? Should i feel secure using this build right now or not?

We are quite sure that this is a bug in the test. You get the same ID as the site can still access the tracking data it planted in your browser (but that tracking data will *not* be available to a different website which is the whole point of our defense and the ip check does not test) and selecting a new Tor circuit does not change that. You'd need to request a New Identity (on the same Torbutton menu) in that case.

Debian users anxiously awaiting the advent of Stretch (expected any minute as I write) will be heartened by this note confirming that the onion service mirrors should work for Stretch:

https://micronews.debian.org/index22.html

A followup post from Peter P on the mirrors in this blog would be good.

> confirms

Ooops--- it doesn't; I missed the date on that post. Nevertheless I hope and believe (haven't yet been able to check) that the onion mirrors will correctly handle the rollover to the new stable (Stretch, aka Debian 9), as long as your sources.list does not contain repositories which are not designated by the version name (e.g. Jessie, Stretch).

Anon

June 23, 2017

In reply to by Anonymous (not verified)

Permalink

From

https://www.debian.org/releases/stretch/amd64/release-notes/ch-informat…

it appears that the sources.list lines needed to use the Onion mirrors of the Debian repository is:

# deb tor+http://vwakviie2ienjx6t.onion/debian stretch main
# deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main

As I read the page, you can change "main" to "main contrib non-free" to obtain the full repos.

My initial attempt to use this did not appear to work, but I'll try again and report back if possible. Has anyone here used the Debian mirrors with Debian 9 (stretch) successfully?

Anyone know why a base install of Debian 9 (stretch) includes linear programming solvers and other rather sophisticated mathematical tools? Is this cryptography related?

If you actually have the # marks before the deb lines, that makes them comments, so they'll be ignored. So, remove the # characters and try again?

See also https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian… for more on apt-transport-tor and friends. (Note: this topic has nothing to do with tor browser.)

Can you guys help me out? I got Tor 6.5.2 but when I updated to 7.0.1 it stopped working and won't open. I tried installing it again but it doesn't work.

i have the same issue that you do but it is quite simple to fix
just "install" it somewhere else, that worked for me but i still have the issue that when i update to 7.0.1 it stops working (i used tor with ublock origin, i tried tor without it and i still have the same issue so i dont think it is the issue)

What system are you on?

Are you using Windows? If so, try uninstalling your antirvirus/firewall software first and see if that fixes things. (Disabling it is often not enough.)

Tor Browser rules!

I found this thing loading with firefox is stopping the load on mine.
Trusteer\Rapport
It is a bank website security thing that seems to think Tor is a valid browser to load into.
Tor disagrees.
I shut down the service and Tor loaded OK.

Ever since upgrading to Tor Browser 7.0.1, I have to download images twice. First the image loads in my browser, then when I click "Save Image As..." the file has to be downloaded a second time in order to save it to disk. This is new behavior that did not occur in previous versions of Tor Browser. (Fyi - I am using Windows XP, but please don't judge. Thanks!)

Yes, we did not get the isolation for the first party domain right in the Save As... case (see: https://trac.torproject.org/projects/tor/ticket/22343). We have a patch which is currently under review. I hope it will be available in one of the next Tor Browser versions.

Thanks for replying to my question! I'm glad to know what was causing the problem. Good luck with the fix. Cheers.

Tor update not possible, System Unsupportive!

I refuse to update Osx Mountain Lion, no need for SIRI shit!
But I hope TOR is still safe, even it refuses to update.

No, it is not safe anymore to use the old Tor Browser (6.5.2). In the new Tor Browser version there have been a number of critical Firefox vulnerabilities fixed. Some of those might not apply to the old Tor Browser but some do.

(1) Every time Tor Browser restarts, Adblock Plus loses all of its filter subscriptions! This is highly annoying and also perhaps not immediately noticeable by some (which could be a security issue).

(2) The zoom level of a tab gets reset to 100% every time I choose a different link from bookmarks. Simplest example: I open a blank tab, set zoom level to 90%, go to Bookmarks and select any page - the result will be that the tab will open with a 100% zoom level!

Re (2): This happens in a normal Firefox as well now it seems. Feel free to open a bug in Mozilla's bug tracker at https://bugzilla.mozilla.org.

Re (1): Do you have steps to reproduce that I could try? We don't ship adblockers and don't test with any of them. Thus, I could need some help here.

(2) Wow, you are right! That is weird...

(1) Well, this is easy. :)

- install Tor Browser,
- install Adblock Plus add-on,
- add any filter subscription to Adblock Plus (e.g. EasyList),
- close Tor Browser,
- open Tor Browser again,
- look at Adblock Plus's filter subscription list - it is empty.

Does this reproduce?

I followed your steps with a clean Tor Browser 7.0.1 (en-US) on a Linux box. The filter list I added (I chose the first from the drop-down menu) was still there after a restart. Note, there was already an EasyList list enabled by default before I added yet another one. And both survived a new start. So, I wonder what is different in your scenario then? Does that happen with a clean, new Tor Browser 7.0.1 if so on which platform?

I am running Tor Browser on Windows 7. And it's not a clean install, it's an upgrade from the previous version. (BTW, the bug with Adblock Plus might have appeared in version 7.0, not necessarily in 7.0.1; I used the 7.0 for too short a time to notice.)

However, since most Tor Browser users, like me, probably upgrade instead of doing a clean install each time a new version comes out, I do not believe this disqualifies the issue I've found from being looked into...

(I don't think anybody is saying "Oh, you're upgrading? Then of course it should be broken and we don't want to fix it." Rather, they are trying to give you debugging steps to help you reproduce the problem better, and ideally to help you reproduce the problem in as simple a scenario as possible, so other people can see it happening too.)

I didn't say they were saying that... :) Sorry if it came out a bit harsh.

However, I have, lamentably far too often, found that developers take the approach: "Oh, this bug doesn't reproduce on a clean install? You have some other stuff going on? Sorry, not our problem. Try a clean install." And one is left wondering: "Umm... Ok, and what about my bookmarks / extensions / configs / other software / etc?.."

So, to resume the debugging, does that happen with a clean, new install of Tor Browser (and Adblock Plus) on your system? If not, we need to compare the differences to narrow the issue down.

- Ok, so I just deleted my Tor Browser and did a FRESH install of version 7.0.2.
- Added the AdBlock Plus addon, added a subscription.
- Restarted Tor Browser.
- The subscription is GONE...