Tor Browser 7.0.5 is released

Tor Browser 7.0.5 is now available from the Tor Browser Project page and also from our distribution directory.

This release makes HTTPS-Everywhere compatible with Tor Browser on higher security levels and ensures that browser windows on macOS are properly rounded.

The full changelog since Tor Browser 7.0.4 is:

  • All Platforms
    • Update Torbutton to 1.9.7.6
      • Bug 22989: Fix dimensions of new windows on macOS
      • Translations update
    • Update HTTPS-Everywhere to 2017.8.31
    • Update NoScript to 5.0.9
    • Bug 23166: Add new obfs4 bridge to the built-in ones
    • Bug 23258: Fix broken HTTPS-Everywhere on higher security levels
    • Bug 21270: NoScript settings break WebExtensions add-ons
Anonymous

September 04, 2017

Permalink

After upgrading to version 7.x.x, Google Checker extensions do not work: Checker Plus for Gmail / Gmail Notifier / Gmail Notifier + ...

Using Gmail and Tor together is counter intuitive and you should not install any other extension in Tor because they can easily break your anonymity. Use normal Firefox if still want to be survailed by Google...

Because of this problem, there are also difficulties with activating through a Google Account (Gmail, Youtube, Google Analytics, third-party API services ...). Services for some reason do not see a logged-in account. And you have to log in to each service again. This problem arose just after the upgrade to version 7.x.x.

Interesting observation!
For some reason, first my Gmail account, then my entire Google internet connection has gone. So I thought, What a brilliant flanking maneuver if I access my gmail account thru Tor. This appeared to be working, but then, because it was an unrecognised access point, Google/Gmail asked for verification that it was indeed me. At that point I backed off - and read your comment.
You warn against "using Gmail and Tor together". I guess the above is an example of what you are referring to?

No. I sign into my Gmail account, then I go to YouTube and I need to re-enter my login and password to log into the same Google account. And so in all Google services.

The same is connected with the fact that Gmail Checker extensions have stopped working. They just do not see the mail account.

These problems appeared after the transition to the version of TB 7.x.x.

There are different levels of security, and depending on threat model maybe you're not worried about google reading your email, but you are worried about google tracking you and knowing where you are.

Don't be such an overzealous butt. Gmail is still one of the most convenient free email services that has a decent UI. Have you even tried using a privacy focused provider like Tutanota? There isn't even search!! And they're more likely to shut down (remember Ghostmail?).

I guess this is related to our anti-tracking features that got upstreamed for Firefox 52. Just to test that: does your setup work again if you set privacy.firstparty.isolate to false? (You might want to restart to test with a clean session)

Anonymous

September 04, 2017

Permalink

thanks! :)
I was really struggling not having HTTPS-Everywhere protecting me. Glad to have it back!

Anonymous

September 04, 2017

In reply to by Anonymous (not verified)

Permalink

Its really odd that this hasn't been tested before being released.

All it would take to see it didn't work properly is clicking on the HTTPS Everywhere button since the whole UI would be messed up.
And of course it wouldn't redirect sites listed as supporting HTTPS to HTTPS.

You have put many users at risk with this easy to spot and fix bug here ... I'm sure of it.

So now that you pointed out how simple it is to find did you tell anyone? Do or did you offer a fix?
I didn't think so. Just another user like me but you are a whiner, I'm a user and thank all the people
who work so hard to make TOR for us.

Way to go guys and gals. Some of us are highly appreciative. Won't hear me bitching.

Please shut up. There is simply nothing more disagreeable than somebody cutting off the option of negative feedback. Not everything in existence is perfect or finished and not every hard working and dedicated helpful person is competent or useful. Some endanger you with good intentions. Some are malevolently lazy. Some have overlooked something.

Fucking complain if you feel like it and stop imposing correctness upon incorrect reality.

To those that do the work, thanks. Don't be hyper-sensitive and if you can't work within reality and require constant affirmation, then consider different work.

And you, GW, just shut the fuck up forever.

Anonymous

September 04, 2017

Permalink

2017/09/04 21:16:39 firefox: 1504552599800 addons.webextension.{73a6fe31-595d-460b-a920-fcc0f8843232} WARN Loading extension '{73a6fe31-595d-460b-a920-fcc0f8843232}': Reading manifest: Error processing permissions.1: Unknown permission "privacy"
2017/09/04 21:16:39 firefox: 1504552599900 addons.webextension.https-everywhere-eff@eff.org WARN Loading extension 'https-everywhere-eff@eff.org': Reading manifest: Error processing devtools_page: An unexpected property was found in the WebExtension manifest.
2017/09/04 21:16:40 firefox: 1504552600000 addons.webextension.https-everywhere-eff@eff.org WARN Please specify whether you want browser_style or not in your browser_action options.

Anonymous

September 04, 2017

Permalink

Security Error: Content at moz-extension://44ef1069-8279-4018-9045-cf2409de304a/popup.html may not load or link to chrome://favicon/https://affiliates.mozilla.org/.
Invalid chrome URI: /
Cannot send message: Other side disconnected: ["MessageChannel:Response", {result:4, messageName:"1349-0", recipient:{}, error:{message:"Message manager disconnected", result:(void 0)}}] ExtensionUtils.jsm:1091
Cannot send message: Other side disconnected: ["MessageChannel:Response", {result:4, messageName:"1350-0", recipient:{}, error:{message:"Message manager disconnected", result:(void 0)}}] ExtensionUtils.jsm:1091
Error: Popup destroyed ext-utils.js:124:39

Anonymous

September 04, 2017

Permalink

Is there a way to make the TBB avoid using such circuits which have two or more relays from the same country? For example I wish that the TBB would avoid using circuits such as Germany-Germany-Germany or France-Germany-France.

Also, it would be nice if there would be a way to choose the country of the exit node by site, because there are some sites which are available only from some specific countries, and clicking several hundreds of times the "new circuit for this site" can go very time wasting and annoying in case of bad luck, as new circuits are probably random, or anyway the user has no control over them.

Thanks for the update, best wishes for the developers.

For example I wish that the TBB would avoid using circuits such as Germany-Germany-Germany or France-Germany-France.

No way. It was intentional. TorProj thinks that in this case diversity beats security. Either you hack tor or use manual chains construction using ControlPort portocol (usable in shell commanline or with arm).

Also, it would be nice if there would be a way to choose the country of the exit node by site

Answer is the same as above. However, you can enable one option in torrc to use exit notation for site chosen. Keep in mind it may harm anonymity, so this option is disabled by default.

Tor follows its way (discussing about the best settings or countries is a political question and even open a doubt on the chain trust _ are the dev/relays compromised ? e.g._ ) ; and according on where you live and the nearest server it could be france france france ... do not tweak if you do not know what you are doing ... do not break Tor ...
- be involved , run a relay, make a donation , support the others in their struggles on the net or in the real life.
- a lot of e.u countries are closing slowly their e-frontiers (except for their commercial & private benefits of course) ,
- open a window at the european limits (spain _support cataluna ; turquey _ support against u.s.a/cia threats ; crimea _ support russia independence ; france _ support their enemies ; germany _ support assange/snowden & all the others ...
it costs nothing , no risk , no danger, just a voice, an opinion , few dollars here ; some message there ; just an human being who need to be free without walls , chains , barriers on the net like in the real life.
That is the best solution for obtaining a better onions network.

There are A few good VPns that let you pick the country. Like Cyberghost. They dont keep logs, Plus I think its made in Germany or close, So USA cant find out shit bout your use of it..

they cant request something a program doesnt keep.. NO VPN SHOULD KEEP logs, its retarded imo

Really? Out of all the VPNS you recommend CyberGhost?....... either you're police posting misleading reviews, or you're clueless as to what Cyber Ghost does.

Cyber Ghost is by far the worst VPN in terms of keeping it's users safe, i would only ever use it for torrenting or everyday basic clear net browsing on an unsecured network, but even then i would be hesitant,

They do maintain logs, and with the right warrant in place, they will hand them over. They would also highly likely turn a blind eye if they noticed their service was attacked by an agency and the traffic was monitored. They are the same as Hide My Ass and all the other free VPNS with shit service.

If you use a VPN with TOR, use something like AIRvpn or Proton Mails VPN, or find a dodgy eastern European based/Chinese vpn and pay for it in tumbled BTC while accessing the service from a chain of proxys.

protonmail is not at all a secure and safe webmail : i do not recommended it (sold/rotten/falsehood/crook/untrust) and i have not read a sincere review about their vpn (audit ?)

airvpn like some others one have a good reputation but they do not provide a free version.

do you know uncensored dns DK ?

OneFromMany: I have some of the same concerns as you, that may or may not be without merit. I get very nervous when I see all three nodes residing in the same country, or certain partner countries. I'll admit I don't know the exact method of how Tor selects nodes, but I think we must realize that the capabilities of both corporations and governments to have access to and to aggregate and correlate data from a wide variety of sources is much, much more advanced than when Tor first rolled out. Such organizations can procure bandwidth and computer power never dreamed of when Tor first started, and to many such organizations the cost of said resources is small potatoes. Complex correlation software is already being developed by advertisers and other data miners, so the software involved would be in a number of org's budgets if the data was worth it. So when I see a node trio I don't like, I keep selecting new circuits until I see something I'm more comfortable with.

Anonymous

September 04, 2017

Permalink

I must addd to your prefs.js b/c you are missing imortants prefs:

# Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the application is running,
* the changes will be overwritten when the application exits.
*
* To make a manual change to preferences, you can visit the URL about:config
*/

[snip]

I edited your post omitting all the prefs you posted as some contain information that could be sensitive. [G.K.]

Anonymous

September 04, 2017

Permalink

without javascript the GUI of HTTPS-Everywhere is broken.
The counter, HTTPS-Everywhere protecting site or not, is gone.

Anonymous

September 04, 2017

Permalink

HTTPS-Everywhere is REALLY messed-up.
No 'Block all unencrypted requests' !
No GUI without javascript.
No counting.

Whats Going On??

Have test it with " Tor Browser 7.0.5 and HTTPS-Everywhere 2017.8.31".

With Security slider High and javascript ON there is still this problem with HTTPS-Everywhere:
No "Block all unencrypted requests", nearly blank GUI and no counting.
That's new.

Anonymous

September 05, 2017

Permalink

"about:config" : 2
- TRUE = network.IDN_show_punycode
- FALSE = browser.urlbar.trimURLs
"searchengine" : 4
- UNCHECKED : google, tweeter, yahoo, youtube
that's the settings i recommended.

Join the discussion...

This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.

6 + 0 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.