Tor Browser 7.0.11 is released

Tor Browser 7.0.11 is now available from the Tor Browser Project page and also from our distribution directory.

This release features important security updates to Firefox and fixes vulnerabilities in Tor. All users are encouraged to update as soon as possible.

This release updates Firefox to version 52.5.2esr and Tor to version 0.3.1.9. In addition to that we updated the HTTPS Everywhere and NoScript extensions we ship.

The full changelog since Tor Browser 7.0.10 is:

  • All Platforms
    • Update Firefox to 52.5.2esr
    • Update Tor to 0.3.1.9
    • Update HTTPS-Everywhere to 2017.12.6
    • Update NoScript to 5.1.8.1

Bridges won't help you if the exit node is being blocked. Just trigger a new Tor circuit for that site and hope for the best. Either that or explicitly set a known exit node (although that's not very secure).

Попробуйте вот так: зайдите на http://cameleo.xyz/ (или любой другой анонимайзер) и вставьте вашу ссылку https://www.ncbi.nlm.nih.gov/pubmed/advanced

Всё работает без проблем. Видимо сайт блокирует подключение именно TOR

Using a bridge/obsf4 only changes how you connect to the Tor network, not how the websites you visit see you. All they see is a request from an exit relay. The website you linked to appears to block all exit relay ip addresses. This is not something that you can get around without the website in question unblocking exit node ip addresses.

Anonymous

December 09, 2017

Permalink

helo

Anonymous

December 09, 2017

Permalink

This website cannot provide a secure connection warning in ms edge and slimjet browsers, ISP is Talktalk, are they blocking??? I have downloaded and installed successfully through filehippo :-)

Anonymous

December 09, 2017

Permalink

is it safe to use Evolution email-client (with 7.0.11 TB) for an onion_webmail imap/pop settings ?
(thunderbird is not maintained & not included as add-on. )

Anonymous

December 09, 2017

Permalink

is javascript enabled so dangerous? I mean, I can not do a lot of things with javascript disabled. I would also like to know if I can put a kind of proxy after the final node of the tor, because ip ip is identified in several sites and they define this ip as very aggressive. These things limit me a lot ....

Thanks for the great software.

The risk of JavaScript comes from the fact that it's a complicated language that can contain bugs. It does not innately put you at risk (e.g. it cannot simply bypass the proxy settings and phone home), but it can contain bugs that could be exploitable. It's a good idea to set the security slider higher if possible, but it is not a strict requirement.

For your second question, I'd like to mention that putting a proxy after Tor is rarely a good idea. It centralizes all your traffic and defeats the purpose of having rotating exit nodes. If you really have to connect to an individual website that is blocking Tor, try using a web proxy like kproxy.com or something, in Tor browser of course.

> The risk of JavaScript comes from the fact that it's a complicated language that can contain bugs

Also, if you allow JavaScript (for example by using TB with security slider set at "medium") you will probably see warnings about canvas fingerprinting, which you should answer "Never for this site".

Depends on who your adversaries are, and how dangerous it would be to you if they were able to compromise your brower.

We can assume that the FBI, for example, has knowledge of Firefox bugs that nobody else knows about. They've had such knowledge in the past and used it to attack Tor users. And the vast majority of exploitable bugs rely on JavaScript.

If you don't have such powerful adversaries then perhaps you don't need to worry about that. Or there are other steps you can take, such as using Whonix or sandboxed-tor-browser, to reduce the risks if your browser is compromised.

As far as proxies go, I think you'll find any free proxy service will look just as "suspicious", to server operators, as Tor. Paid services may appear more "reputable" because they're both less popular in general, and less appealing to spammers.

Great reply, but I think more needs to be said about this:

> If you don't have such powerful adversaries then perhaps you don't need to worry about that.

I think that almost everyone is seriously underestimating their chances of being victimized by a "serious" attack by a well-funded attacker. For at least two reasons:

o because some attacks are easily converted into dragnet attacks (e.g. targeting all Tor users) and because some well-funded attackers (e.g. cyberespionage-as-a-service companies) are clearly happy to perform dragnet attacks on entire classes of internet users,

o more and more cyberespionage-as-a-service companies, often founded by former FBI, USSS, NSA/TAO agents with experience in creating malware, keep appearing, because more and more large corporations and nasty governments are demanding their services; among the most popular is "active defense" which means using social media to suss out potential adversaries, finding their IPs, and attacking their personal devices; increasingly, almost anyone who engages in political activity in a dozens of countries including "Western democracies" is likely to be surveilled by these companies acting on behalf of government or corporate clients; known victims include dozens of
+ fracking protest groups
+ oil pipeline protest groups
+ Black Lives Matter, Occupy, and other social justice movements
+ human righst groups (including the best known such as Amnesty and HRW)
+ foreclosure and mega-bank protest groups
+ net-neutrality supporters

For more information, please see

https://www.theguardian.com/world/2017/dec/12/surveillance-firms-spied-…

https://www.theguardian.com/world/2017/dec/12/inside-the-secret-world-o…

https://theintercept.com/series/oil-and-water/

USPERs please note that at least one of the UK-based companies mentioned in The Guardian, TASK International, appears to have an active US branch (in FL).

There are many cyberespionage-as-a-service companies based in such places as USA, EU, India, South Asia, and Russia, but the best known are Gamma International (London and Munich), maker of FinFisher, Hacking Team (Italy), NSO Group (Israel) and Cyberbit (Israel, formed by merging NICE Ltd and portions of Elbit Systems, the Israeli spy/kill-drone maker; see the books on NSA by James Bamford for more background on NICE's business relations with the biggest US telecoms) .

My feeling is that pretty much anyone who is politically active needs to use Tor, strong end-to-end encryption, and other privacy/security-enhancing tools.

i noticed few mistakes :

1° * dragnet : more relays, more users, the next generation of onions could help.
2° * as service = Contract manufacturer
it is like that most of secret service work afaik.

- cyber-espionage : related at police/deviance/free lance.
- Western democracies : do you mean an occupied area with a fake label ? It is an E.U. plan not an US one.
- caterpilar does not obeys to u.k orders but to fr/israeli joint-venture (organized crime)
- the business relations with the telecom are a part of counter-terrorism & anti-mafia ops.

Tor can't do nothing against Professional Parabolic Microphone & harassment/racket/missing person/fake news/fake uspers.

The roses grow up on the dung-heap , almost everyone is seriously over estimating their chances to not be a victim after a "serious" attack by a well-funded attacker.

My feeling is that if you can't beat it , they can be stopped by their allies.
Using Tor, strong end-to-end encryption, and other privacy/security-enhancing tools ; it can be reported, denounced, and their criminal plot will fail.

You realize hushmail is the one that gave their logs to the FBI with no resistance a while back, right? Their reputation is almost as bad as HMA is now days. I thought we were over recommending those scammers.

That's one of the long-standing unsolved problems for Tor users, and I believe it is fair to say that most experts think it is unsolvable.

One point here is that most email services require you to log in as a unique user (and to use some payment method), and sending any unique identifier over Tor would appear to be inconsistent with anonymity, which is the purpose of Tor.

I would urge you to explore using end-to-end encrypted messaging instead. I have great hopes for Tor Messenger (a still experimential project of Tor Project which may eventually be incorporated into Tails; see tails.boum.org), but you can try Signal. In a recent tweet, Edward Snowden recommends using Signal with Tor.

Careful. "Anonymity" is a tricky concept. What Tor provides you could be called location privacy: whatever site you visit/wherever you log in those folks providing the services don't see where you are from doing so. And in that way doing email over Tor is working perfectly fine.

Anonymous

December 09, 2017

Permalink

Hi,
I am seeing the update in green on tor's menu. So I clicked on it. Then my antivirus software then requests to block the firefox.exe and tor.exe files from opening. These files are legit, right? What should I do? Tech dummy here. Please help, anyone?

Anonymous

December 09, 2017

In reply to by YM (not verified)

Permalink

I'm sure someone else has a better answer, but you should make sure that you downloaded from the real Tor Project website, using HTTPS. You can be additionally sure by using GnuPG to verify the downloads. The website provides explanations on how to do this.

Anonymous

December 10, 2017

In reply to by YM (not verified)

Permalink

Antivirus software is never perfect and can generate false alarms. Executable files (.exe's) could easily carry nasty stuff, so it's not surprising your AV software would be worried about them. But since you know these two files are coming from the Tor project, just go ahead and install them.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

10 + 2 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.