Tor Browser 7.0.10 is released

Tor Browser 7.0.10 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to version 52.5.0esr and Tor to version version 0.3.1.8, the second stable release in the 0.3.1 series. In addition to that we updated the HTTPS Everywhere and NoScript extensions we ship. For Windows users we backported patches from the alpha series that update the msvcr100.dll runtime library we include and which should make Tor Browser more robust against crashes due to misbehvaing third party software.

The full changelog since Tor Browser 7.0.9 (7.0.8 for Windows) is:

  • All Platforms
    • Update Firefox to 52.5.0esr
    • Update Tor to 0.3.1.8
    • Update Torbutton to 1.9.7.10
      • Bug 23997: Add link to Tor Browser manual for de, nl, tr, vi
      • Translations update
    • Update HTTPS-Everywhere to 2017.10.30
      • Bug 24178: Use make.sh for building HTTPS-Everywhere
    • Update NoScript to 5.1.5
      • Bug 23968: NoScript icon jumps to the right after update
  • Windows
    • Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
    • Bug 23396: Update the msvcr100.dll we ship
    • Bug 24052: Block file:// redirects early
Anonymous

November 15, 2017

Permalink

1. Damn gvfsd-metadata bug every version
2. Tor circuit for this site: Bridge (Germany) - Relay (Germany) - Exit (Germany)-Internet

Tor project is a part of a CIA :)

Anonymous

November 15, 2017

Permalink

Anyone else found that upgrading from TBB 7.0.7 to TBB 7.0.10 breaks embedded webextensions?

I'm aware that Mozilla are dropping support for embedded webextensions in FF57, but TBB 7.0.10 is meant to be based on FF 52.5.0 - did Mozilla do something weird between 52.4.1 and 52.5.0?

Anonymous

November 15, 2017

Permalink

Installing the new Version 7.0.10 on Windows 10 actual Version I get the error message:
"Tor Browser does not have permission to access the profile. Please adjust your file system permissions and try again."
What can I do?

I am not exactly sure what happened. Maybe you installed Tor Browser as an administrator and now try to start it as a "normal" user?

Had the same type of message about ccleaner portable from windows defender after installing the Fall Creators update

ublock origin doesn't filer ads anymore right? the button formerly displayed in the toolbar has disappeared too.

Tor and the tor devs RULE! Great work by them as always -- and as always I am immensely grateful.

With Javascript off, HTTPS-Everywhere in TBB7.0.10 is working normal?

During my work with buggy HS I noticed this:

XX:21:37.000 [notice] Rend stream is 120 seconds late. Giving up on address '[scrubbed].onion'.
XX:26:59.000 [notice] Short path bias probe response length field (1).
XX:30:54.000 [notice] Rend stream is 120 seconds late. Giving up on address '[scrubbed].onion'.

I suspect it is some bug (message "Short path bias probe response length field"). Time of this message corresponds to a moment when HS stopped working. I have no idea about its relation to old ticket #8962.

Is it dangerous message? Is it sign of attack against tor client?

As always it was, with this version it is also:

./start-tor-browser: line 368: 1651 Segmentation fault TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} ./firefox --class "Tor Browser" -profile TorBrowser/Data/Browser/profile.default "${@}" < /dev/null

JS is disabled, security slider is "high". I don't know how to reproduce.

Would you be willing to run a debugger, gdb if we explained to you how to do so? But more importantly which Linux distribution are you using?

Debian jessie, 64 bit, TBB in VM, tor is on host OS, no pulseaudio. Slider was at high. I think it is safe to debug with gdb, because my VM doesn't have access to tor guards, etc. So, the leak is only my exit node or particular HS used at that time, I could tolerate that. Actually, TBB with JS enabled crashes even more often.

Please, explain me how to use gdb. Ideally I would like to run just another version of tor browser which writes detailed log useful for you. Do I need to enable core dumps somewhere in sysctl?

The situation with the tor itself is much worse, because it is impossible to debug without disclosing too much about my IP, guard, and my tor chains. Maybe tor project needs to think how to address this problem (creation of safe tor debug log).

You should get a stack trace by following the instructions on https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Us… (adapt the version number of the symbol URL to the one you are using).

Thanks! I followed the instructions on link you gave me. So, as I understand, after downloading, unzipping, etc., in my starting script I need to do this:

$ ulimit -c unlimited
$ cd $HOME/tor-browser_en-US
$ gdb -x commands ./Browser/firefox ./Browser/core

where commands is a file with the content:

set env LD_LIBRARY_PATH=Browser/TorBrowser/Tor
run -profile Browser/TorBrowser/Data/Browser/profile.default
quit

Then, if torbrowser crashes, I need to give you just a (compressed) file core, that's all? I checked it, and indeed, it seems working this way.

However, fonts in address line and in interface elements in torbrowser now look different. I guess it is because torbrowser is not started through start-tor-browser script, i.e. some libraries may not be loaded. So, do I have risk to be profiled when running TBB in gdb?

Also, I don't understand why I see this complaint:

/home/user/tor-browser_en-US/./Browser/core: No such file or directory.

Is something wrong with the command "gdb -x commands ./Browser/firefox ./Browser/core"? If I kill torbrowser with -9, core file is created in directory tor-browser_en-US, and not in tor-browser_en-US/Browser as specified by command.

By the way, (I don't know if it is normal or not) if I do just this, it gives error:

$ ./Browser/firefox
./Browser/firefox: /usr/lib/x86_64-linux-gnu/libstdc++.so.6: version `GLIBCXX_3.4.21' not found (required by ./Browser/firefox)

Finally, I don't know if it matters or not, but I have only dbus libraries installed and not dbus itself (usually I have no problems with this setup). My /etc/machine-id file is empty. So, I see some complaints about it at each TBB startup, but everything works. I don't think that crashes are related to these things.

In addition to my previous comment:

Indeed, fonts are not the same, because start-tor-browser script exports few fonts-related variables. Now I have tried to be as close to this script as possible when running my torbrowser in gdb. Finally, I arrived at this way:

Start torbrowser using script:

-----
#!/bin/sh

ulimit -c unlimited
cd $HOME/tor-browser_en-US

if [ ! -d ".config/ibus" ]; then
mkdir -p .config/ibus
ln -nsf ~/.config/ibus/bus .config/ibus
fi

gdb -x $HOME/bin/commands.1 ./Browser/firefox ./Browser/core
-----

Here file commands.1 is:

set env XAUTHORITY=/home/username/.Xauthority
set env HOME=/home/username/tor-browser_en-US
set env LD_LIBRARY_PATH=Browser/TorBrowser/Tor
set env FONTCONFIG_PATH=Browser/TorBrowser/Data/fontconfig
set env FONTCONFIG_FILE=fonts.conf
run -profile Browser/TorBrowser/Data/Browser/profile.default
quit

Now fonts look normal as with usual TBB, and no extra files are created in home dir (like ~/Desktop). Is it correct configuration to start using my "gdb-version" TBB as usual browser? Do I still have any profiling risks?

P.S. I'm sorry for being messed with paths... Well, the correct version I mean is:

1) Script to start browser:

#!/bin/sh

ulimit -c unlimited
cd $HOME/tor-browser_en-US/Browser
if [ ! -d ".config/ibus" ]; then
mkdir -p .config/ibus
ln -nsf ~/.config/ibus/bus .config/ibus
fi
gdb -x $HOME/bin/commands ./firefox ./core

2) $HOME/bin/commands file:

set env XAUTHORITY=/home/username/.Xauthority
set env HOME=/home/username/tor-browser_en-US/Browser
set env LD_LIBRARY_PATH=TorBrowser/Tor
set env FONTCONFIG_PATH=TorBrowser/Data/fontconfig
set env FONTCONFIG_FILE=fonts.conf
run -profile TorBrowser/Data/Browser/profile.default
quit

If you want to debug your crash there is not need to mess with any start scripts or write your own.

1) Just download the debug symbols (the large .zip file) and make sure everything lands properly in Browser/.debug
2) Follow the "Starting firefox from inside gdb" instructions

Reading your above comments it seems this is kind of working for you? If so, you might want to play with the Browser/start-tor-browser script figuring out what exactly it is that breaks your setup.

If you want to debug your crash there is not need to mess with any start scripts or write your own.

Well, I was a bit confused. I thought that I need to specify some core file during start of program to get it created during a crash. Actually, it is not so, as I understood it later... So, normally I should start gdb on firefox without any core file, as it will be automatically created if crash happens. Then, if crash has happened with some core file created, I can run firefox on this core file and investigate it (creating stack trance, etc.). I hope, now I am correct. :)

Reading your above comments it seems this is kind of working for you?

Yes, everything works. I downloaded, unzipped, all right. Core file is created if firefox is killed. But I want this working smoothly as an everyday usage of torbrowser, that's why I need to care about all variables, correct fonts, and absence of profiling (because of some possible misconfiguration).

If so, you might want to play with the Browser/start-tor-browser script figuring out what exactly it is that breaks your setup.

It is not breaking. Everything works. At least, I cannot see any visual differences with normal TBB (i.e. without gdb). Yes, it doesn't mean there are no such differences.

Initially I thought that gdb doesn't take environment variables from my shell before running the program, that's why I tried to pass all necessary variables to firefox after gdb is launched. Now I see this is wrong. So, gdb can safely get all necessary variables from shell, i.e. I simply need just to edit that lines of start-tor-browser script, where firefox is launched, by replacing them with a proper gdb command.

To be clear: Since most of crashes are not easily reproducible, my intention is to use gdb with torbrowser by default. Then, if crash happens in some future, I will come here with useful backtrace and a core file. I hope it will make TBB more secure and will help the community to catch yet unknown torbrowser 0-days.

Okay, so without gdb Tor Browser is working as well? If so, good. And thanks for helping to find bugs in Tor Browser. Really appreciated.

Thank you for the help! Yes, my TBB now can work both with and without gdb. Crashes usually happen rarely (I don't think that more than once in a week), but I almost sure that once I'll get them in my future. It should be interesting to analyze... (Well, it may be also due to other possible reasons: bug in other Linux libraries or kernel, hardware bugs, etc.).

Finally, the hack with these extra 6 lines is working:

-----
$ diff start-tor-browser.new start-tor-browser.original
116,119d115
< --gdb)
< use_gdb=1
< shift
< ;;
367,369d362
< [[ "$use_gdb" -eq 1 ]] && TOR_CONTROL_PASSWD=${TOR_CONTROL_PASSWD} gdb \
< -ex "run --class 'Tor Browser' -profile TorBrowser/Data/Browser/profile.default ${@} < /dev/null" \
< -ex quit ./firefox ||
-----

I added one switch --gdb, so now one can use both ways. Without gdb:
$ ./start-tor-browser -v
With gdb:
$ ./start-tor-browser -v --gdb

If you like it, you could add some similar functionality to start-tor-browser script (at the moment I don't care about regimes and options other than -v, but it can be easily applied to all places in the script, where firefox is launched).

Finally, the hack with these extra 6 lines is working

P.S. In addition, though ulimit is unlimited by default, one still needs to add the line
ulimit -c unlimited
somewhere at the start of start-tor-browser script. Otherwise, core file will not be created.

tor browser can be resuscitated in china, if we use a socks-5 proxy server as vanguard.

Is it safe to use Vidalia(.exe)? I find it indispensable for viewing and playing with Tor circuits.

Should the control port in Vidalia be 9150 or 9151? Thanks.

The default control port is 9151.

For Vidalia, it has been unmaintained for a few years.

TB opens up as maximized on Debian 9
And without https Everywhere "S"
But after a restart S appears normal

Is this after an update? Are you able to reproduce the problem if you reinstall the previous version and update it again?

No I downloaded the complete TB and when it starts it is maximized and without the S. After a restart the S seems Ok, but again TB is maximized. This has been this way in several recent versions of TB.

What window manager are you using and what screen resolution are you getting when testing it on e.g. https://browserleaks.com/javascript?

Screen resolution: 915×539 24-bit TrueColor (working area: 902×539)
x window manager alias mutter

All from debian live 9 stretch on an old toshiba satellite

I see. I've opened https://trac.torproject.org/projects/tor/ticket/24383 for further investigation, thanks.

Which window manager are you using? FWIW: the HTTPS Everywhere issue is: https://trac.torproject.org/projects/tor/ticket/23359.

It's impossible access the options / dashboard of uBlock, the symbol is gone too. Which means it can't be customized anymore. No way to add filters or make exceptions.
Please tell me that's a bug and not a 'feature'

Is this in a Tails context or does this happen with a vanilla Tor Browser as well?

I assumed it to be an issue of Tor Browser itself but you are correct, it's only Tails, sorry.

Tor is being blocked by the City of Brampton in Canada public wireless access. The pubkic IP is 192.82.150.249. the Tor browser isn't able to ocmplete its inital connection when opened. Previously Tor browser would time out and give an option to capture logs to the clipboard but that no longer happens. The Tor browser just sits with no progress bar information.

Have you tried to configure bridges to circumvent the blocking? See: https://tb-manual.torproject.org/en-US/circumvention.html.

Maybe try setting Tor to use common ports like 80,443 only.

search for bridges outside US. You can set up your own VPN in a virtual GNU/Linux image and run it from an online host service or pay for VPN (using cash cards, crypto currency). Do some homework first. Connect to wireless (not your own) with WIFI dongle, fake MAC and IP, use Tor to connect to the VPN. You are going to need to read up on proxy and SSH tunneling etc. Don't then log into accounts or go acting like a clown.

is there any way to bypass youtube ip checker because some countries are banned from seeing videos.......

is there any way to proxy all computer connection through tor browser? seems it could happen before but not today? you can use onion buddy but not clear.

Maybe, try hooktube, its youtube without the BS.

nuff said

hi there,

I am wondering whether or not the new version tor browser 7.0.10 revoked the CNNIC certificate ?

Thanks!

That version did not revoke that cert unless Firefox 52.5.0esr did so (which I have not checked).