Tor Browser 7.0.2 is released

Tor Browser 7.0.2 is now available from the Tor Browser Project page and also from our distribution directory.

This release features an important security update to Tor.

We are updating Tor to version 0.3.0.9, fixing a path selection bug that would allow a client to use a guard that was in the same network family as a chosen exit relay. This release also updates HTTPS-Everywhere to 5.2.19.

Here is the full changelog since 7.0.1:

  • All Platforms
    • Update Tor to 0.3.0.9, fixing bug #22753
    • Update HTTPS-Everywhere to 5.2.19

Hi, death,

I think we are actually saying the same thing: being on the Internet is dangerous, but necessary for life, so life is dangerous, but instinct demands that we try to prolong life, so... huzzah tor and all those other nice things you mentioned!

Some years ago a poster requested in this blog that Debian developers introduce quantum-cryptanalysis resistant crypto, and codecrypt (confusingly, man codecrypt doesn't give a man page, but the utility is ccr and man ccr gives a man page) tries to work toward that need. However, I wish it had more extensive documentation.

Keep the good stuff coming, please, FOSS people!

Anonymous

July 07, 2017

In reply to by Anonymous (not verified)

Permalink

https://github.com/exaexa/codecrypt
it needs an audit (like most foss).
it needs practice and i have not found a site for that but pgp has several which this one :
https://www.reddit.com/r/GPGpractice/
or this one working only in pgp
https://keybase.io/tlikonen

eff is preparing a new guide :
https://www.eff.org/secure-messaging-scorecard

foss :
https://privacytoolsio.github.io/privacytools.io/
Never trust any company with your privacy, always encrypt (especially if you suspect some of them working on the bad side e.g protonmail).

> it needs an audit (like most foss).

And much better documentation (like too much FOSS).

But I don't want to sound harsh: at least some individuals out there are trying to help.

Still, it seems clear that what we need a concerted global cooperative effort to develop, code, audit, and promote post-quantum crypto. Such concerted cooperative efforts to make something everyone needs happen is best done by governments, but we have the special problem that all the world's governments now seem to hate anything which empowers citizens, such as strong crypto.

Describing the problem is easy; fixing it will not be. But fix it we must, somehow.

> https://www.eff.org/secure-messaging-scorecard

Very cool! I hope they at least mention Tor Messenger, maybe even urge readers to consider a donation to Tor Project.

Anonymous

July 05, 2017

Permalink

since the update i cannot connect to any onion sites, the connection just times out, however all other sites are fine... any info or help/advice?

In order of likelihood, my guesses are:

A) The onion sites you're trying are all down. Try http://duskgytldkxiuqc6.onion/ or https://www.facebookcorewwwi.onion/

B) Your time or date or timezone on your computer are set wrong.

C) You messed with your Tor Browser configuration a bunch and you broke the proxy settings or some other piece of the config.

Let us know which one it is. :)

I notice that Debian 9.0 installer is more aggressive about making everyone use NTP (Network Time Protocol) than Debian 8.0. Years ago users were warned that NTP is hopeless insecure. I hope that is no longer the case!

> Your time or date or timezone on your computer are set wrong.

Quick question about that: what is the approximate time scale where clock offsets can interfere with using onion services?

Another issue with strangely set system clocks is presumably that this can assist the bad guys in deanonymizing us.

Anonymous

July 05, 2017

Permalink

thanks for update !!

i checked with http://ip-check.info/

with highest setting there are two points that the site mark bad:

- Authentication: unique ID
- Cache (E-Tags): unique ID

Is this ok so or what should I do?

thanks !!

both can read an

go into About:config and turn off memory cache to disable the -Cache(E-Tags) Unique ID's

as far as the Authentication unique ID. there is no way to do so in firefox/tor. (so the only way you can safely get a new Authentication ID is to restart Tor each time you want to revisit a site you already previously visited.

We believe those are false positives which the test can't detect right now. We contacted the ip-check developers and they are working on a fix.

thx !!

Cannot change listen and control ports using the TORRC file.

I tried switching ports to 9250 and 9251 however in Process Explorer it shows TOR listening on 9250, 9251 and the default 9150, 9151.

Also, I tried setting the SOCKS port in the browser network tab to 9250 and it crashes on startup.

I figured out why TOR crashes if you change the ports, there are invalid characters in the commandline, but I don't know how they get there.

If you change TORRC to use SocksPort 9250 and ControlPort 9251, you end up with this commandline:

+__ControlPort 9251 +__SocksPort

for some reason the Tor Browser adds those two plus signs which causes Tor.exe to crash. If you copy the entire commandline to a windows batch file and remove those plus signs, Tor starts and listens on the custom ports.

Could you get us a log file containing debug output so we can investigate the crash further? You could add a log entry to your torrc file like Log path\to\your\logfile\name. Or you could overwrite the tor.exe file in your bundle with the one from the expert bundle (https://archive.torproject.org/tor-package-archive/torbrowser/7.0.2/tor… for the current one). And starting Tor Browser afterwards should give you a console with tor log messages.

Sorry for the late reply...

The crash still happens with TBB 7.0.11 and when adding the LOG option to torrc, no log is generated. Also, replacing TOR.exe with the one from the expert bundle doesn't help. The debug window closes almost immediately.

How does your torrcfile look like after you added the log option?

Question for arma or another knowledgeable Tor employee:

I used Debian 9.0 (stretch). I have installed Debian-tor to use apt-transport-tor so that I can access the repos using the onion mirrors, in hope of improving security (both anonymity and integrity) of sofware updates, as per

https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian…

The configuration file is in /etc/tor/torrc and it seems that the default configuration might not be optimal for apt-transport-tor. (I can use Tor Browser for web-browsing, which has its own tor engine and configuration.)

What is the safest configuration for users of apt-transport-tor?

I think the default torrc that you get with the Tor deb should be fine for use with apt-transport-tor.

(There are indeed power users out there on the Internet who make guides about all the knobs that you should turn. Every time you turn a knob you risk standing out a bit more. That's why we try to make the defaults good enough for most people.)

Thanks much for the prompt and authoritative answer to my question!

I try to always keep in mind the tradeoff between maximing anonmyity (e.g. by using the default settings) and attempting to minimize vulnerabilties to the latest known attacks. This always involves difficult choices made on the basis of too little or too unreliable information, yet the choices must be made, so...

BTW, I accept that while Tor people know much much more than I do, anyone can be wrong, a risk which I also accept, because I know you are doing the best you can under difficult circumstances.

tails fails to start tor after update to 3.0.1
log says:
/var/lib/tor has wrong permissions
config file can not be read

I Want 64BITS Version! :(

Make it! ;)

I'm asking for Tor E-mail Client, please, make one I can recommend to freedom people.

TorBirdy is an extension for ​Mozilla Thunderbird that configures it to make connections over the Tor network: https://trac.torproject.org/projects/tor/wiki/torbirdy

But no anonymous remailers are involved, correct? So that you still need to obtain an email account from an ISP, presumably using your real identity at some point? (Note that ecash is typically not anonymous when your adversaries include the governments of SY, RU, US, etc.)

Without an [desktop-based] email client (Thunderbird, Torbirdy,...) you can still use email in a safe way with https: by using the web-based email client of "quite trustable" providers like gmail (typing, sending, reading,... doing everything on the browsers, not on the desktop-based clients.

By using gmail that way (right on the browsers, not on desktop-based client), your LOCAL ISP will have no way to eavesdrop your email communication. Google themselves and NSA, however, may still be able to read your messages , so to cut through Google+NSA noise, use GPG to encrypt important information in the emails, only use plain text for unimportant information.

By using the two tactics (https emails like gmail and GPG to encrypt important information), all the third-parties (your local ISP, international ISP, NSA,...) will have ZERO chance to read your messages. Quite a bit more sophisticated, and require your partner to have to use GPG too, but using email will become "able" and safe for you.

gmail is not at all recommended : avoid _ tutanota could be a better option e.g.

Hello!
How to make Tor traffic look like multiple file downloads over HTTP/XHR (not HTTPS)?
Will it ever be implemented?

Hi!! Can a dev pls hlp me out? how u use bitcoin core with tor??? before you had vidalia... now u only have tor browser... how can u use just tor without open tor browser... so you can activate tor and bitcoin core to run over tor... u have to open ur tor browser at same time?

I wanna know this too!

https://www.eff.org/deeplinks/2017/06/be-prepared-summer-security-camp
Be Prepared: Summer Security Camp
Aaron Jue
20 Jun 2017

> EFF has just launched the Summer Security Camp, a two-week membership drive that challenges people everywhere to gather ‘round the online rights movement and prepare for the privacy and free speech challenges in their paths.

Fuck this download!!! its fucking everything up for me. I can't log on to a certain site and never had a problem until this shitty update!!!! I HATE THIS SHIT, I'M LOSING STUPID MULAH!!!!!

How can I use Roboform?

Thank you for your work. Russia needs TOR very much under Putin

Anyone has more information regarding Bogatov, like a potential release or so?? Any update?

I also would welcome an update.

YouTube is still not displaying properly (flashing when content overlaps).

I opened a ticket for that to track the issue down and fix it: https://trac.torproject.org/projects/tor/ticket/22868. Thanks for reporting.

While update....there is DETECTED:EE:Malwr.Heru.Graftor.369260
Why??????????????????????????????

thank you for this apple

As so many questions in this blog from understandably confused newbies constantly demonstrate, even experienced Tor Browser users often don't know things they need to know in order to use Tor (or their indeed their PC/laptop) in less dangerous ways, given the threat environment facing Debian+Tor users.

I appeal again to the Debian Project/Tor Project team which (thank you!!) authored the "Tor at the Heart" post popularizing the onion service mirrors for Debian to do more to help Debian users avoid making potentially harmful errors.

Example: can you publish an updated version of the original post

https://blog.torproject.org/blog/tor-heart-apt-transport-tor-and-debian…

(and thanks for posting that!), taking account of the fact that the new Debian stable is stretch, and also of the fact that at some point contrib and non-free were quietly added to the onion mirrors (and thanks for doing that, it was badly needed!), please?

Example: can you publish a tutorial on how to use nftables (the replacement for iptables in Debian stretch)

https://wiki.nftables.org/wiki-nftables/index.php/Main_Page

to set up a personal firewall on our PC/laptop which

o plays nice with DHCP (for talking to a SOHO wired router),

o same for other common SOHO or internet cafe usage scenarios,

o doesn't inadvertently block other necessary and legitimate actions,

o plays nice with Debian-tor (for using apt-transport-tor),

o plays nice with Tor Browser (installed from the latest Tor Browser Bundle, so with its own stand-along Tor client),

please?

If you don't publish timely HOWTOs, your users will go the internet for advice, where they will find all manner of

o misinformation ("a fresh Debian install is firewalled by default"),

o terribly bad advice ("Debian users don't need firewalls"),

o dangerously inappropriate/outdated information (my search engine "helpfully" pointed at ten year old HOWTOs on using ipchains to set up a firewall for a LAN).

The likely result: not just suboptimal solutions to security problems, but dangerous "solutions" which solve nothing but create even more vulnerabilities for ordinary Tor users.

Please "Help wanted", ask to the appropriate blog/mailing-list :
https://lists.debian.org/debian-user/2017/07/maillist.html
https://wiki.debian.org/nftables
you could also contact a lug.
https://www.lifewire.com/soho-routers-and-networks-explained-3971344 (updated july 06 2017)
https://www.examcollection.com/certification-training/a-plus-how-to-sec…
# Debian users do not make 'potentially harmful errors' and do not follow dangerously inappropriate/outdated information.
take a look here for a better help :
https://sparkylinux.org/
or choose another distrib ,)
#time , patience & be involved needed
Thanks.

Maybe a better link:

https://wiki.debian.org/nftables

Your browser does not seem to support HTML5 WebAudio

I've noticed recently that my entry relays for all my connections were from the same nation, only one that nation.

I read about https://www.torproject.org/docs/faq.html.en#EntryGuards, but I think it would be troublesome if my entry guards were from only one country all the time. This didn't happen before (my entry relays had been from various nations). Are there some things wrong with that??

(I use obsf4 bridges, and I have just changed to use a very few bridges I saved before to change the nation of my entry relays).

when I go to gmail.com it takes me to "https://accounts.google.com/signin/v2/identifier?service=mail&passive=t…"

Preventing me from creating a new gmail account. How can that be overcome?

I used to create gmail accounts on Tor Browser. One thing I noticed is that they (Google) match our GeoIP nation with our phone number country code: when these don't match, they won't allow us to create an account.

I can't recall how I overcome this, but it's possible. However, they (Google) seemed to figure out where I'm really from (which country/nation) when they finally allowed me to create the accounts (can't recall this exactly; that was quite some time ago)!

First of all a big thank you to the Tor team for all their hard work.

Second, Mozilla decided to use Google Analytics on the about:addons page as a means to track the user's addon selection behavior.

See here https://twitter.com/NicolasPetton/status/884694176515936256 and here https://bugzilla.mozilla.org/show_bug.cgi?id=1302552#c1

I think this is absolutely underhanded and in case of Tor goes against everything you are trying to accomplish.

Maybe you could remove this in the upcoming releases since you are already heavily altering the FF code?