Tor Browser 7.0.2 is released

Tor Browser 7.0.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor.

We are updating Tor to version 0.3.0.9, fixing a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This release also updates HTTPS-Everywhere to 5.2.19.

Here is the full changelog since 7.0.1:

  • All Platforms
    • Update Tor to 0.3.0.9, fixing bug #22753
    • Update HTTPS-Everywhere to 5.2.19
Anonymous

July 05, 2017

Permalink

with this update, tor browser is no longer connecting to onion sites (times out). i am using sierra 10.12.5. should i downgrade to tor browser 7.0.1?

Здравструйте, Уважаемые Администраторы и менеджеры! Я не очень хорошо знаю Английский язык, более 20 лет живу в России. Вы не могли бы по-русски написать мне, правильно ли я подключился к сети Tor ? Нужно ли выполнить еще какие=то действия? Могу ли я пользоваться почтой анонимно и как это делается?

С Уважением Александр.

Александр, люди, не знающие английский слишком похожи на сотрудников Роскомнадзора. Помощи не получишь. Учи язык международного общения и вливайся в международное сообщество. Может тогда и желание работать на РКН отпадёт.

I experienced (for the first time) difficulty to connect to Tor 'network'. I then try to configure it with the 'option' of if my isp is blocking Tor network,
and then I could connect very fast.

Anonymous

July 05, 2017

Permalink

How is Tor (Tor Browser) working in China now?? It seems Tor faces the most serious problems with China and the Great Firewall, so I'm wondering how that is going on now: can people from within China use Tor now, how difficult to use Tor from China,...?

Thank you, pastly :)

I was being attracted so much by the information flow regarding "the Sino-Tor war over the Great Firewall"; I hope people from within China will be able to pass the obstacle(s). It sounds like they (the PRC Gov) did put huge efforts to block the people from using Tor (that struggle must cost them a huge amount of money and resources). I still want to dig in that war. xD

Every human being should have the right o all the benefits of technology such as using Tor because of the apparent costs. Open all channels...Ready to Recieve

yes,we can,but with a lot of connecting problem,and the speed is not good at all(for my instance,about 20-200k downloading speed over my 30M fiber broadband)
most pages need to be refreshed 2-3 times until it can fully loaded.
all Chinese ISP block Tor,if you are lucky enough,you can use obfs4 and link to tor network,but if you are not,seems you triggered something in GFW,then you cannot connect to tor for a while.meek also may work,but in a much lower possibility.and if you havn't use tor for a few days,you may need to manually add a new bridge...

sorry for my poor english,and thanks for all tor guys,you guys are awesome

The OP hints at a common (and perfectly natural) misconception about keeping Tor circuits as hard as possible to deanonymize, one which I notice has come up here several times in the past few months. It would be nice to work towards keeping visible at www.torproject.org an up-to-date FAQ with short authoritative answers to the most frequently *recently* asked questions which have recently arisen in discussions with users here and in other help venues, written for ordinary users rather than for sophisticated techgeeks or other developers.

The community team (https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam) is currently working on the Tor Project support portal, which will serve this function. Currently we are compiling content on the wiki at https://trac.torproject.org/projects/tor/wiki/org/teams/CommunityTeam/S…, however we plan to migrate this to a proper support page in the near future.

About those weekly chats:

I know Tor Messenger is only beta, but the irony is that if you junked OFTC and used a chat room at Calyx Institute (for example), the weekly chats would be accessible to Tor Messenger users without endangering themselves by offering money and contact information. That would mean that more Tor users could participate. And you'd be able to explore large scale use of OTR chats, etc. And you could invite tech reporters to join the discussion, giving Tor users a chance to interact directly with reporters. Of course USIC would show up to, hence the need for strong anonymity.

Tor Messenger may be only beta, but it is the *only* chat I can use.

+100!!!
Wonderful post!
I've tired to explain Tor folks that they should provide anonymous access to their chats!
Tor Messenger needs more love!

Anonymous

July 06, 2017

In reply to by Anonymous (not verified)

Permalink

Glad to see someone out there agrees with me!

I think Tor Messenger is without doubt one of the most promising projects from the Tor team. If it ever gets an impressive security audit and goes into "production", I think it could be the "killer ap" ordinary people all over the world so badly need--- even if they don't yet realize that they need it!

Anonymous

July 05, 2017

Permalink

I started TOR and was told its out of date and clicked to update. So I just loaded the update and now I cant get TOR to start at all? Any help gratefully received

Thanks for the suggestion. Its Windows 10, but I have upopdated TOR on many ocassions without any problems at all. The file downloads cleanly and seems to install OK, but just does not run. I have ever had an issue with either my antivirus or firewall previously. I have tried removing TOR and going back to 7.0.1, but now no difference?

Boklm, Thanks for the suggestion. I do have Trusteer installed but have not had any problems at all with either that or with TOR until I did the update to 7.0.2. I cant seem to uinstall TOR using the usual windows methods, but have deleted the TOR directory and reloaded 7.0.1 but no joy there. I then deleted the TOR folder again and downloaded 6.5 and that installs and runs OK, but of course with all the known problems up to 7.0.2!
Thanks for the help and suggestions
Jon

I had the same problem, but I know now that it is because I have
a private firewall in Windows, so when you disable this firewall I had no problems
anymore by downloading the new version.
Can I use TOR browser also in Linux; if so how to install?

"Are you seeing the same first node on multiple websites?"

Sorry, that's not what I meant.

When I use netstat (in Linux) I often see the same entry node connected to, twice. Not in the browser, I know about that and it's natural, but instead from my PC to the same entry node IP, but twice, two connections open. Now why would that be?

Intriguing!

What Tor version? If it's a recent one, and this is repeatable behavior, we want to know.

In particular, Tor 0.3.1.1-alpha has some fixes to reduce the chance of this situation happening, so it would be especially useful to know if you see these issues before 0.3.1.x but not after it.

Anonymous

July 05, 2017

Permalink

7.0.2 is not perfect & sometime i wonder who is lying or corrupted ... no comment.

about:config

https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
April 14, 2017
Firefox Phishing Attack Uses Domains Identical to Known Safe Sites
Do a search for ‘punycode’ without quotes.
You should see a parameter titled: network.IDN_show_punycode
Change the value from false to true.

It removes the “open with” option from the download dialog
Hands up! I’m not really sure why this is considered a vulnerability, but it is! To turn this feature on:
browser.download.forbid_open_with
Double-click anywhere on the parameter to change it to true.

*and of course for tor_sandbox :
*Toggle the following two preferences so that their value becomes true:
*extensions.torlauncher.control_port_use_ipc
*extensions.torlauncher.socks_port_use_ipc
*you must install bubblewrap on debian.

This seems to be a reliable source:

https://nakedsecurity.sophos.com/2017/04/19/phishing-with-punycode-when…
Phishing with ‘punycode’ – when foreign letters spell English words
19 Apr 2017
Paul Ducklin

From about:config in Tor Browser (in Tails 3.0.1, so should agree with TB 7.0.2):

network.IDN_show_punycode;false

So I agree this would seem to be a problem, unless someone knowledgeable has tested TB 7.0.2 against punycode redirection schemes and confirmed it is not vulnerable, and understands why the attacks fail (if they do fail).

Assuming the TB teram really did miss a vuln, however, I think you might be too harsh on them-- anyone who has tried to plow through the about:config options will have some sense of the frightful complexity of Firefox (or another major browser). What matter is not that they (mebbe) missed a hole but how quickly they fix it.

> *and of course for tor_sandbox :

Which is a separate download all together, but ok.

> *Toggle the following two preferences so that their value becomes true:
> *extensions.torlauncher.control_port_use_ipc
> *extensions.torlauncher.socks_port_use_ipc

Unneeded with the bubblewrap based sandbox, and instead will break everything.

Totally worthless for the standard Tor Browser because there is no policy enforcement of "Only use AF_LOCAL" sockets, and adding any enforcement will result in a browser that can't load pages due to a Firefox bug (See #22794).

> *you must install bubblewrap on debian.

Will do nothing for standard Tor Browser, but yes, that is required for the real sandboxed Tor Browser.

Anonymous

July 05, 2017

Permalink

It is very rare that I do this but while I had a few tabs open on 7.01 I decided to switch to off-line so I can open a non-secure connection with a different browser. Push come to shove, I left it idle for 30' and came back. The bugger had updated itself over tor and was asking me to restart WHILE IT WAS OFFLINE.

No good. If off-line does not mean off-line I recommend you take the mozilla button off or disable it altogether. I know it is better to shut-it-off and kill the tor daemon, but then why is there an offline button.
I strongly believe that simultaneous connections to tor and non-tor is a security weakness that I try to avoid.

Meanwhile, about 5 versions back I had written in the old blog about the "about" button/window staying on while the rest of the browser would shut-down and restart for a new tor circuit. A window is a window, whether browsing or displaying the about information. I was told then it was a bug meant to be looked at. It is still the same, isn't it?

AND, to top it all off, now we need to enable scripts to leave a comment?

> I strongly believe that simultaneous connections to tor and non-tor is a security weakness that I try to avoid.

I agree, and I am pretty sure TP will too.

> now we need to enable scripts to leave a comment?

Before trying the "new blog" I was afraid that would be the case, but it seems not to be. I have been able to post with javascript disabled. However, after hitting the post button, I have to hit the "new identity" button because otherwise TB will try to endlessly reload. This is awkward and probably somewhat dangerous (because it seems like it could perhaps make it too easy for an adversary with too much net presence to deanonymize and barrel bomb me) but it has not prevented me from commenting.

Another way would be to use a dedicated Tails session (boot from a live DVD burned from a verified ISO image) for each visit in which you anticipate trying to make even one post, to visit only blog.torproject.org during the Tails session, and to leave javascript enabled in TB (security level medium in the slider). I don't recommend changing the security slider during a browsing session, because I have observed that this appears to lead to many suggestions of unanticipated and possibly dangerous behavior by the complicated (TP, Mozilla, OS) software systems involved. But this method would possibly also be too easily spotted by too many bad guys.

The safest way, as always, alas, is silence.

At least until TP acquires sufficient resources to devote adequate effort to make blogging here reasonably safe for wary endangered Tor users.

Until then people who feel less endangered can try to speak for those who are more endangered.

> The safest way, as always, alas, is silence. (lol)
if the safest way is silence you should avoid all tor & foss projects and to be involved or to feel concerned :
avoid tor & tor-sandbox
avoid onion
avoid tutanota
avoid otr & tox
avoid cryptocat
avoid ricochet
avoid onionshare
avoid pgp
avoid codecrypt
avoid onepad
avoid sks
avoid 443
avoid dns
avoid openvpn
avoid linux
avoid english
avoid walk on the right side
avoid all anonymous comments
avoid privacy & dignity
avoid to be a human being
> The safest way, as always, alas, is silence. (lol)

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

4 + 8 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.