Tor Browser 7.0.10 is released

Tor Browser 7.0.10 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox.

This release updates Firefox to version 52.5.0esr and Tor to version version 0.3.1.8, the second stable release in the 0.3.1 series. In addition to that we updated the HTTPS Everywhere and NoScript extensions we ship. For Windows users we backported patches from the alpha series that update the msvcr100.dll runtime library we include and which should make Tor Browser more robust against crashes due to misbehvaing third party software.

The full changelog since Tor Browser 7.0.9 (7.0.8 for Windows) is:

  • All Platforms
    • Update Firefox to 52.5.0esr
    • Update Tor to 0.3.1.8
    • Update Torbutton to 1.9.7.10
      • Bug 23997: Add link to Tor Browser manual for de, nl, tr, vi
      • Translations update
    • Update HTTPS-Everywhere to 2017.10.30
      • Bug 24178: Use make.sh for building HTTPS-Everywhere
    • Update NoScript to 5.1.5
      • Bug 23968: NoScript icon jumps to the right after update
  • Windows
    • Bug 23582: Enable the Windows DLL blocklist for mingw-w64 builds
    • Bug 23396: Update the msvcr100.dll we ship
    • Bug 24052: Block file:// redirects early
khled.8@hotmai.com

November 18, 2017

Permalink

thank u

khled.8@hotmai.com

November 18, 2017

Permalink

Did something change recently with Twitter and the "high" security setting in TorButton? I used to be able to set it to "high" and be able to load my Twitter feed, but now it won't load unless I set it to "medium" first, then load Twitter. Note: this is just with the feeds. I can login on Twitter fine with it set to "high" but feeds won't load.

khled.8@hotmai.com

November 19, 2017

Permalink

TOR RULES

khled.8@hotmai.com

November 19, 2017

Permalink

I am not using the Tor-Browser for a long time and I am no expert...
I like the Tor project and I want to participate with a relay.
I am supposed to edit the torrc-file, so
I opened the torrc file:
"# This file was generated by Tor; if you edit it, comments will not be preserved
# The old torrc file was renamed to torrc.orig.1 or similar, and Tor will ignore it"

the torrc.orig.1 opens empty with my editor.
What am I doing wrong?

khled.8@hotmai.com

November 19, 2017

Permalink

for some reason all day i have not been able to "Test Tor Network Settings" but i can access other websites other than this "Test Tor Network Settings" page .. seem all fishy to me

I use some locally hosted client-side javascript web apps, specifically coinb.in and bip32.org. The remotely hosted versions render correctly. But opening the same apps locally with file://, they don't render correctly and are non-functional even with no-script disabled. I'm experiencing this problem with latest TOR browser on Debian stable, Tails 3.3, and Whonix 13.

That's because of https://trac.torproject.org/projects/tor/ticket/24052 which worked around a potential proxy bypass bug. We hope Mozilla fixes the underlying problem in a proper way without functionality loss.

Is https://check.torproject.org/ down? Can not rich it. Only loads to timeout and i tried new identity many time.

It has been down for a few hours, but is back now.

Hello again, After launching, I cannot seem to get it to test Tor Network settings. It will only do that after going to some other site first. Prior to 7.0.10, it would always check pre moving on. Any idea what has changed that function? Thank you in advance.

net speed is slow. Site loads, loads not, https://blog.torproject.org/ loads normal -that's new.
Only me or more generally?

Hi everybody. No_Script plugin has list of "Untrusted" domains. The question is: whether
or not adding new URLs in this list could change my fingerprinting?

there are a white-list & a https tab not an untrusted domains 'choice'.
it is depending on your threat model :
- if you are not too much exposed and lived in a safe location , it should not change your fingerprint.
- if you wish be safe , do not add a domain or address site in the white-list and add it on the https list.
- as soon as you change the settings -about:config- (bookmarks & white-list included) it could be revealed using sophisticated 'hack' so it is not recommended (fingerprint).

You must set no-script & https & tor settings & cookies & search browser before using Tor Browser according on your wishes.

Hi again. Thanks. I'm appreciating your reply. It seems like I need to clarify the case.

There is "noscript.showUntrusted" option at the "about:config" settings. If you toggle it on there would appear "Untrusted" line at the No_Script dropdown menu. By marking web addresses and domains as "Untrusted" you could compose your own blacklist (for example : Mark torproject.org as Untrusted ; Mark blog.torproject.org as Untrusted ; Mark https://blog.torproject.org as Untrusted ). That list would be stored at the "about:config" "noscript.untrusted user_set string (whatever you add)" line.
Eventually you could ended up with huge and unique scroll.
My question was about that.

But how could I determine whether my location is safe or not? And what do you mean : "too much exposed"?

"You must set no-script & https & tor settings & cookies & search browser before using Tor
Browser according on your wishes."
Could you suggest such safe settings, please?

TOR inhibits, terribly much slow !! Long enough, very slow!
Unexpectedly long loads any page, more than ten minutes I can not wait.
What to do??

I want to get the latest version of Tor expert bundle, but didn't see any download link via Tor official webiste. Where can I find it?

Thanks a lot.

On https://www.torproject.org/download/download.html.en clicking on the Windows option and scrolling down should give you a purple button for downloading the expert bundle. The current one can be found at https://www.torproject.org/dist/torbrowser/7.0.10/tor-win32-0.3.1.8.zip.

Hi there,

Thanks !

I am wondering would it be possile to download Tor expert bundle via a link where I can find all the older builds and its signature? something like this: https://www.virtualbox.org/wiki/Download_Old_Builds_5_0
If this is not possbile, could you provide a link where I can download expert bundle version 0.3.0.10/ 0.3.11 with its signature?

Many thanks in advance.

We have everything archived at https://archive.torproject.org/tor-package-archive/torbrowser/. Unfortunately the expert bundles are buried in the respective Tor Browser releases. For 0.3.0.10 this would be:

https://archive.torproject.org/tor-package-archive/torbrowser/7.0.4/

I assume you meant 0.3.0.11? We did not build that one but rather switched to 0.3.1.7 directly it seems.

Pulseaudio sound does not work with Tor Browser, but it does with Firefox. Running with --verbose shows error in console:
Failed to create secure directory (/home/someuser/.config/pulse): Permission denied

Stopping pulseaudio and trying to use apulse libs gives error:
[apulse] [error] do_connect_pcm: can't get initial hw parameters for playback device "default". Error code 1 (Operation not permitted)
[apulse] [error] do_connect_pcm: failed to open ALSA device. Apulse does no resampling or format conversion, leaving that task to ALSA plugins. Ensure that selected device is capable of playing a particular sample format at a particular rate. They have to be supported by either hardware directly, or by "plug" and "dmix" ALSA plugins which will perform required conversions on CPU.
Workarounds suggested by apulse have no effect.
And with pulseaudio not running, firefox sound doesn't work either, but other ALSA apps work fine.

Does it help to adjust the permissions of /home/someuser/.config/pulse? What are those permissions right now?

The current permissions are rwx------ (700) owned by someuser. No effect on changing them to 777.

It must be related to its sandbox, although it refuses to print any sandbox debug messages. How do you whitelist access to pulseaudio or the ALSA device apulse is trying, or work around it?

You can test whether it is really sandbox related by changing the security.sandbox.content.level preference. 0 disables it altogether and 1 makes it less strict.

If you run Debian you should now that devs recompiled their firefox with alsa support, but TBB devs decided to not follow Debian way--they use upstream version of firefox, where alsa support is disabled during compilation.

It is not straightforward to get PulseAudio (PA) runnning on any normal secure system. I think that if not yet, very soon PA will not work on any Linux system without systemd installed (btw, Devuan was forked from Debian just to get good system without systemd and dbus). So, if you follow classic UNIX secure way, soon or later you will loss sound support in TorBrowser forever. Sad, but true.

I had the same problem, so I tried to get PA with SysV working. I didn't get sound working in TBB even with PA running. Anyway, moving to systemd and PA to get sound working is as awful as moving to proprietary closed source software.

I use few different torbrowsers with slightly different set of preferences (all of them are using the same system tor on my Linux machine). I update them manually by checking PGP signatures in safe evironment. After each new TBB release I need to run each torbrowser in safe and clean environment and change few preferences to get working clean copy (so, I can always rollback to it after any of my torbrowser sessions). I don't need to change too many options, it is just about 5 preferences: proxy server, default search engine, default home page (blank), disable autoapdate, adjusting security slider... However, it takes too much time to create new clean torbrowsers, so I decided to write my own script for this work.

As I understood from google, the most reliable way to make changes to firefox/torbrowser preferences is to create new user.js file on the same profile directory as prefs.js file (Am I right?). The next thing I need is to figure out what are the options I need to add to user.js which will make the same effect as manual editing of preferences in torbrowser interface.

After first start of torbrowser the file prefs.js is created. At the second start I can make some changes to preferences and see what is changed in prefs.js. This way worked well for many options, but not for all of them. It looks like firefox stores in prefs.js a lot of stuff including very minor things such as "when particular preferences were applied," "which things were already clicked in interface," etc. For me, exact set of options in prefs.js is not well predictable. I also understand that in some future the names of preferences and behavior of torbrowser may change, so I need to track it.

My particular questions in relation to this script:

1). Disabling tor-launcher through variables "TOR_SKIP_LAUNCH=1 TOR_SKIP_CONTROLPORTTEST=1 ./start-tor-browser" works well, but I would like to disable this addon completely (as in preferences of torbrowser). Is there any way to do it in script before starting TBB? Well, there is option:

user_pref("extensions.enabledAddons", "torbutton%40torproject.org:1.9.7.10,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:52.5.0");

However, in order to to use it, as I see, at each update I need to manually write versions of torbutton and other extensions. Can it be done simpler?

2). I need to change my default search engine from DuckDuckGo to DuckDuckGoOnion. How can I do that? It is realted either to file search.json.mozlz4 or very long and hard to parse line in prefs.js (which deals with the HTTPS Everywhere, probably). I didn't find any way to solve this problem.

3). Since I update TBB manually, I disable the following update options:

user_pref("app.update.enabled", false);
user_pref("app.update.auto", false);
user_pref("app.update.backgroundErrors", 1);

Is it correct? I mean, is it the same as choosing "never check for updates" in "prefereces - advanced - update"?

4). By comparing changes done from interface and from command line I noticed that in the first case prefs.js includes also these lines:

user_pref("extensions.ui.dictionary.hidden", true);
user_pref("extensions.ui.experiment.hidden", true);
user_pref("extensions.ui.locale.hidden", true);

and

user_pref("gfx.blacklist.canvas2d.acceleration", 4);
user_pref("gfx.blacklist.canvas2d.acceleration.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.direct2d", 4);
user_pref("gfx.blacklist.direct2d.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.direct3d11angle", 4);
user_pref("gfx.blacklist.direct3d11angle.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.hardwarevideodecoding", 4);
user_pref("gfx.blacklist.hardwarevideodecoding.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.direct3d10", 4);
user_pref("gfx.blacklist.layers.direct3d10-1", 4);
user_pref("gfx.blacklist.layers.direct3d10-1.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.direct3d10.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.direct3d11", 4);
user_pref("gfx.blacklist.layers.direct3d11.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.direct3d9", 4);
user_pref("gfx.blacklist.layers.direct3d9.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.layers.opengl", 4);
user_pref("gfx.blacklist.layers.opengl.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.stagefright", 4);
user_pref("gfx.blacklist.stagefright.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webgl.angle", 4);
user_pref("gfx.blacklist.webgl.angle.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webgl.angle", 4);
user_pref("gfx.blacklist.webgl.angle.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webgl.msaa", 4);
user_pref("gfx.blacklist.webgl.msaa.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webgl.opengl", 4);
user_pref("gfx.blacklist.webgl.opengl.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webrtc.hw.acceleration", 4);
user_pref("gfx.blacklist.webrtc.hw.acceleration.decode", 4);
user_pref("gfx.blacklist.webrtc.hw.acceleration.decode.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webrtc.hw.acceleration.encode", 4);
user_pref("gfx.blacklist.webrtc.hw.acceleration.encode.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.blacklist.webrtc.hw.acceleration.failureid", "FEATURE_FAILURE_OPENGL_1");
user_pref("gfx.font_rendering.opentype_svg.enabled", false);

I don't understand the origin of this options, because clean torbrowser doesn't add them in prefs.js after the first start, but they are added if I do my changes through torbrowser interface (but not added, if I do it using commandline). So, should I add these options to my user.js too? Are they essential?

I have core file for this version of firefox. I think that after visiting one page with JS, scripts killed browser before it could ask user to stop scripts. I visited the same links again but crash didn't happen. What can I do with this core? It is about 0.5GB big (non-compressed). Which backtrace are you interested in? How can I send it to you? Tell me which commands to type in gdb (Linux, 64bit).

https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#Ge… has some tips regarding debugging core files. I guess the whole GDB section in that document is relevant for you. You can send the results to me if you want: gk[@]torproject[.]org (without the brackets). Thanks!

Yes, I used that wiki to get core file. Your link tells me vague thing:

You can then use the usual gdb commands (backtrace, print, up, down, etc) to inspect the stack, variables, and program state at the time of the crash.

I am not familiar with the debugging and firefox internals, I don't know what is meant exactly by "stack trace" which is wanted. Google tells me it can be either of commands:

(gdb) bt
(gdb) bt full
(gdb) info threads
(gdb) thread apply all bt
(gdb) thread apply all bt full

When I run gdb ./firefox /path/to/core I get:

GNU gdb (Debian 7.7.1+dfsg-5) 7.7.1
...
Reading symbols from ./firefox...Reading symbols from /path/to/tor-browser_en-US/Browser/.debug/firefox...done.
done.

warning: core file may not match specified executable file.
[New LWP 1620]
[New LWP 1631]
[New LWP 1652]
[New LWP 1642]
[New LWP 1648]
[New LWP 1623]
[New LWP 1624]
[New LWP 1625]
[New LWP 1626]
[New LWP 1627]
[New LWP 1628]
[New LWP 1630]
[New LWP 1634]
[New LWP 1640]
[New LWP 1641]
[New LWP 1643]
[New LWP 1649]
[New LWP 1688]
[New LWP 2483]
[New LWP 1616]
[New LWP 1633]
[New LWP 1632]
[New LWP 1629]
Core was generated by `/path/to/tor-browser_en-US/Browser/plugin-container -greom'.
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x0000555555559225 in ?? ()
(gdb) bt full
#0 0x0000555555559225 in ?? ()
No symbol table info available.
#1 0x0000000000000003 in ?? ()
No symbol table info available.
#2 0x00007ffff3c9ba86 in ?? ()
No symbol table info available.
#3 0x0000000000000000 in ?? ()
No symbol table info available.
(gdb) bt
#0 0x0000555555559225 in ?? ()
#1 0x0000000000000003 in ?? ()
#2 0x00007ffff3c9ba86 in ?? ()
#3 0x0000000000000000 in ?? ()
(gdb)

I guess that the error is in some firefox subsystem which I have no "symbol tables" for, i.e. my core file is mostly useless. Anyway, compressed core file is about 40 MB long, I can upload it somewhere for you. Do you want it?

I got some new crash. When I am in original session yet, if I print bt or bt full, it gives meaningful trace. I thought I can always reprint it again by exiting and later running gdb /path/to/firefox /path/to/core again with bt command, but... it seems it is not so! Output after restart of gdb is completely different. Can I get original meaningful stacktrace? I am not experienced with debugging or gdb.

How can I reproduce that? It works for me right now.

The screen comes up with some URls then I clcik on noscript to temporary allow and then goes blank on a Torbrowser running on a Mac OSx. running through TOR relay Nickname
xorox
OR Addresses
37.187.94.86:443

I see. I assume you are using the security slider set to "High" and are allowing scripts if needed on particular sites, right? The problem in your case is that the mode "High" is blocking more than just scripts and it is sometimes not enough to just enable them. In this case you would need to allow SVG content as well to get the page rendered which is forbidden on the highest security level. To test whether that really makes a difference for you open about:config and set svg.in-content.enabled to true.

красота

this version of tor browser won't allow clicking "sort by"
http://store.steampowered.com/search/sort_by
all other browsers allow

What exactly does not work? I can click on the item next to it which is a drop down menu and select items from it and the sorting gets done according to the selected category.

when clicking to sort it opens the web page http://store.steampowered.com/search/sort_by instead of opening the drop down menu

instead of the drop down menu it loads the page
http://store.steampowered.com/search/sort_by

Hm, I still don't understand your problem. Are you saying you don't have this drop down menu? Or just clicking on it does not work?

How can I reproduce your problem? What operating system are you using? Did you adjust your security slider to a higher level? If so, which one? What Tor Browser version are you using?

The drop down menu doesn't appear. Clicking on it loads a web page instead of opening a drop down menu.
The operating system is Windows
The Tor Button Security Settings says "Your custom browser preferences have resulted in unusual security settings. For security and privacy reasons, we recommend you choose one of the default security levels." There's no slider.
The Tor Browser version is 7.0.10

Could you reset those settings and then test with the slider on the lowest level? Do you get the same result?

Reset the settings and tested with slider on lowest level has same result.

Printing to PDF on Linux does not work, it goes through the motions but no file is written.

That's probably https://trac.torproject.org/projects/tor/ticket/23016 and/or https://trac.torproject.org/projects/tor/ticket/23970. We'll test the fix in the next regular alpha release. Hopefully we can include it in Tor Browser 7.5 which is due in Jan 2018.

Only usability fixes in FF52.5.1esr?

No. Mozilla is not making releases on the ESR series to fix just usability issues.