Tor Browser 7.0.1 is released

Tor Browser 7.0.1 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This is the first minor release in the 7.0 series, updating Firefox to 52.2.0esr, Tor to 0.3.0.8, and HTTPS-Everywhere to 5.2.18. Additionally, we worked around an annoying freezing of Tor Browser which is due to a NoScript bug and made the security slider window slightly larger.

Here is the full changelog since 7.0:

  • All Platforms
    • Update Firefox to 52.2.0esr
    • Update Tor to 0.3.0.8
    • Update Torbutton to 1.9.7.4
      • Bug 22542: Security Settings window too small on macOS 10.12
    • Update HTTPS-Everywhere to 5.2.18
    • Bug 22362: NoScript's XSS filter freezes the browser
  • OS X
    • Bug 22558: Don't update OS X 10.7.x and 10.8.x users to Tor Browser 7.0

If you're using the Medium security setting, switch to Low instead when using ProtonMail. This is due to the fact that JIT (Just-in-time JS compilation) is disabled with Medium and High security settings, and hence you notice those performance hits. Hope that helps!

Anon

June 23, 2017

Permalink

yes

New color scheme in... this blog?

If so, previously I could not see buttons but in the new version I can. (Using either the TB version provided with Tails 3.0, and also TB 7.0.1 under Debian 9.0.) Not perfect by any means (I experience the endless reload after each comment submission), but not worse than previous, and presumably an improvement in terms of anti-robo-trolling for the TP maintainers.

Welcome to the Tor community!

You may also want to try out Tails:

https://blog.torproject.org/blog/tails-30-out

This comes as an iso image you can burn to DVD, and if you have a 64-bit computer (PC or laptop) which can boot from a live DVD, you can gain significant anonymity/security assurances from using Tails (although nothing is perfect).

I just installed Debian 9 ("stretch") using the onion mirrors and am very enthusiastic about the increased cooperation in the past year or so among Tor Project, Tails Project, and Debian Project, so you may want to look at Debian too

debian.org

I have confirmed that you can install Debian 9 off-line (no network mirror) from the DVD#1 and then installing apt-transport-tor and putting these lines in your synaptic configuration

deb tor+http://vwakviie2ienjx6t.onion/debian stretch main
deb tor+http://sgvtcaew4bxjd7ln.onion/debian-security stretch/updates main

enables you to install and update entirely via Tor, which among other benefits entirely evades the mounting problems with those horrid fake certificates used for state-sponsored MITM in order to trojan software as it is being downloaded to a citizen's personal computer. See

https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian…

for a somewhat outdated posting on the onion mirrors. In particular, the onion mirrors now include the *full* Debian repository, which is a huge advance.

There is a huge flaw in this scheme: many otherwise valuable STEM applications (or security-enhancing things like FOSS IDS) in the Debian archive appear to come with small or large mail programs which attempt send useless unencrypted email messages to the user. Worse, this "misconfiguration by default" is often impossible for ordinary citizens to disable. Even worse, these mail programs typically assume any user must be on a large .edu system, and if this assumption is not met, the emails are not always sinkholed. Even if actual emails (very possibly containing sensitive information about the system) are not sent, unencrypted DNS lookups make things much too easy for the bad guys.

The most serious issue here might be the possibility that sensitive system information could be exposed to the internet by "misconfigured" utilities installed on the PC which offer no disable option for "helpful" unencrypted emails to "root", and which incorrectly assume that

o the operator has a valid email address

o used the correct domainname for the "domainname" setting when using the Debian installer.

Such misbehavior could perhaps be stopped by setting up a personal firewall which blocks outbound (and inbound) traffic on port 25 might at least prevent sensitive unencrypted emails from being sent into the internet.

The following HOWTO seems to describe firewalling a server rather than making a personal firewall for a PC, but I can't find better advice:

https://wiki.debian.org/HowTo/shorewall

A personal firewall won't fix outbound dns lookups by bsd-mailx or exim4 trying to email the hapless user (since you can't block outbound dns lookups without breaking Tor, yes?), or the lack of security awareness of certain otherwise useful STEM applications.

Question: what iptables rules are likely to break the proper functioning of Tor traffic from a PC which uses a commercial SOHO router with DHCP server to connect to the internet?

Examples of legit Tor traffic from a PC running Debian 9.0:

o Tor Browser

o debian-tor for updating software via the onion mirrors

the best browser

Use Tor for my anonymous blog. Couldn't do it without you. Thanks!

"HOWTO make an anonymous blog using Onion services" would be a good subject for a future post in this blog.

Do you need to have a working "clearweb" site before you can add a "darkweb" site?

i've been using hotspot shield vpn elite to hide my ip address. does anyone know if this is a good app to use for this purpose?

I think the right answer you should get here is: using Tor Browser will be much safer.

There are many differences, but the first two that come to mind are:

A) Hotspot shield is a centralized service, so it gets to see everything you do, and sell it:
https://svn.torproject.org/svn/projects/articles/circumvention-features…

B) You need all of the application-level privacy and security fixes that Tor Browser provides. Using a default Chrome or Safari or Firefox or whatever, even if your underlying VPN service is somehow perfect, means you leave many huge holes open:
https://www.torproject.org/projects/torbrowser/design/

I'm really enjoy surfing with Tor, I don't have a bunch of money grubbing assholes following me around. What a refreshing change.

Seit dem Update läuft Tor nicht mehr stabil und schmiert ständig ab. Erweiterungen lassen sich auch nur noch bedingt nutzen. Rückschritt!

My possibly horrendous translation:

> Updating Tor (Browser) is not very stable and is always a pain. Let's work towards keeping (updating) usable. Falling back (to the previous version)!

I don't dare try to attempt to translate my reply:

Updating never works for me either, but I have always been able to simply download the latest tarball (link will be the Download page at torproject.org), verify the detached signature, unpack the tarball in an suitable directory, untar, and away I go!

You will probably have better luck getting help if you are able to speak English. :/

It sounds like your Tor Browser no longer works. What OS are you on? Do you have antivirus installed? If you uninstall the antivirus, uninstall Tor Browser, then reinstall Tor Browser, does it work?

I've read that several large ISPs (I think ATT, Charter, Comcast among others) have at times routinely used MITM (Man in the Middle) attacks to perform DPI (deep packet inspection) on *all* their customers for the purpose of selling data about individual browsing history, calling circle, banking transactions, etc, to corporations, governments, stalkers, whomever is willing to pay whatever the ISPs charge for these vast troves of detailed (and potentially dangerous) data on the habits of individual citizens and their families.

Do we have reason to think Tor Browser provides strong protection against this kind of DPI?

Short answer is yes, that's one of the things Tor does quite well.

The DPI at the ISP point can discover that you are using Tor, but not easily discover what you are *doing* with Tor.

All of the browser layer stuff is wrapped in many layers of encryption at that point, so it should be quite hard for the attacker to reconstruct.

It's not perfect -- nothing is -- but it's way better than the situation where you use a VPN provider and then the VPN provider is in exactly the right position to screw you just like your ISP was.

For more reading check out
https://svn.torproject.org/svn/projects/articles/circumvention-features…

Browser window warning

Your standard browser window size is probably square.
Unfortunately this size is not an option on some laptops which means that the size is cut off underneath.
This gives a yellow browser window size warning, over and over again, maybe it stops after 10 or 15 warnings.
Please reduce the standard window-size or come up with something smart.
Older laptops do not have 4k resolution and have therefore limited vertical space.

Interesting. I wonder how this is happening in your case. We round the browser window (the one for the content) to a multiple of 200x100 depending on your screen site with max 1000x1000. Thus it seems something is gone wrong for you.

Is "Your standard browser window size is probably square." part of the error message? If so, what is the whole error message (that's a bit hard for me to figure out)? Do you get it during start-up just once or every time you start Tor Browser?

Still learning this new version of internet. Really enjoy how helpful people are, and the epicness of everything that the community releases to move us forward. I'm sold, and am here to stay!

hi

hi,
tor browser dont start after 6.5 version on windows 8.1. all versions from 7.0,up to 7.0.4 dont work, i must reinstall the 6.5 version eveytime after all update to all 7 version .
have you an idea?
ps: on windows xp sp3 it work nice , no problems