The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2022-11-30T16:52:28Zhttps://gitlab.torproject.org/tpo/web/support/-/issues/280Discourage more running a browser in parallel to Tor Browser2022-11-30T16:52:28ZGeorg KoppenDiscourage more running a browser in parallel to Tor BrowserWe have https://support.torproject.org/tbb/tbb-17/ for answering the question about whether it is safe to running a different browser in parallel to Tor Browser.
It's correct that *Tor Browser's* privacy features are unaffected by that ...We have https://support.torproject.org/tbb/tbb-17/ for answering the question about whether it is safe to running a different browser in parallel to Tor Browser.
It's correct that *Tor Browser's* privacy features are unaffected by that but we should stress more the risk of linking both browsing activities.
Maybe something like
```
If you run Tor Browser and another browser at the same time, it won't affect Tor's performance or privacy properties. However, be aware that when using Tor and another browser at the same time, your Tor activity could be linked to your non-Tor (real) IP from the other browser, simply by moving your mouse from one browser into the other. Or you may imply forget and accidentally use that non-private browser to do something that you intended to do in Tor Browser instead.
```
Thanks to `ForMariosTheHacker` at h1 to point that out.GusGushttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40229Proxy log scrubbing misses URL-encoded IPv6 addresses2022-11-28T20:58:21ZDavid Fifielddcf@torproject.orgProxy log scrubbing misses URL-encoded IPv6 addressesThe log scrubbing patterns (tpo/anti-censorship/pluggable-transports/snowflake#21304, tpo/anti-censorship/pluggable-transports/snowflake#40115)
miss IPv6 addresses in URLs, where `:` is encoded as `%3A` or `%3a`.
URLs like these may be l...The log scrubbing patterns (tpo/anti-censorship/pluggable-transports/snowflake#21304, tpo/anti-censorship/pluggable-transports/snowflake#40115)
miss IPv6 addresses in URLs, where `:` is encoded as `%3A` or `%3a`.
URLs like these may be logged in the case of HTTP errors.
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake-webext/-/merge_requests/55#note_2851695
> `error dialing relay: wss://snowflake.torproject.net/?client_ip=2001%3Adb8%3A4000%3A%3A1234 = dial tcp: lookup snowflake.torproject.net: no such host`https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40185overflow in bandwidth reporting2022-11-21T15:34:42Ztrinity-1686aoverflow in bandwidth reportingA user reported on `#tor` they see strange bandwidth report on their snowflake proxy.
![image](/uploads/2840f9598f1d194a89058c04a84023e4/image.png)
It looks very much like an overflowed signed 32b integer. They use snowflake on raspber...A user reported on `#tor` they see strange bandwidth report on their snowflake proxy.
![image](/uploads/2840f9598f1d194a89058c04a84023e4/image.png)
It looks very much like an overflowed signed 32b integer. They use snowflake on raspberry pi 3 (64 bit), however I've heard more than one time of things going 32b on raspberries, so may be reproducible only in 32b modehttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40117display the proxy NAT type in the logs2022-11-16T18:19:45Zmeskiomeskio@torproject.orgdisplay the proxy NAT type in the logsThe proxy NAT type is only being written to the logs if the `-verbose` flag is set. Will be nice to display it anyway.The proxy NAT type is only being written to the logs if the `-verbose` flag is set. Will be nice to display it anyway.itchyonionitchyonionhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/26650Update d3dcompiler_47.dll to latest version in Tor Browser (10.0.15063.675)2022-11-16T09:36:20ZGeorg KoppenUpdate d3dcompiler_47.dll to latest version in Tor Browser (10.0.15063.675)A user on the blog (https://blog.torproject.org/comment/275958#comment-275958) mentioned there is a newer version of the d3dcompiler_47 library we ship with Tor Browser and strongly suggested to update the one we provide.A user on the blog (https://blog.torproject.org/comment/275958#comment-275958) mentioned there is a newer version of the d3dcompiler_47 library we ship with Tor Browser and strongly suggested to update the one we provide.Sponsor 131 - Phase 5 - Ongoing MaintenancePier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40184fixed unit for bandwidth logging2022-11-11T14:38:01Zinvokedfixed unit for bandwidth loggingCurrently, the proxy logs bandwidth in changing units as the bandwidth scales up (KB->MB->GB). It might be preferable for the proxy operators to have a fixed unit instead. The problems associated with the way it currently works is:
1....Currently, the proxy logs bandwidth in changing units as the bandwidth scales up (KB->MB->GB). It might be preferable for the proxy operators to have a fixed unit instead. The problems associated with the way it currently works is:
1. If the proxy operator wants to scrape the logs for bandwidth data for use in other programs, the unit keeps changing.
2. Units like GB can cause the values of 1 or 2 to be far less meaningful when the proxy won't see bandwidth in the GB range consistently.
I would suggest fixing the values to KB unit.https://gitlab.torproject.org/tpo/web/donate-static/-/issues/97twitter metacard not appearing2022-11-07T22:06:55ZKeztwitter metacard not appearing@nicob pointed out in IRC that twitter is not showing our card image. i've checked with a few unofficial validators (<https://tweetpik.com/twitter-card-validator>, <https://www.bannerbear.com/tools/twitter-card-preview-tool/>) and they h...@nicob pointed out in IRC that twitter is not showing our card image. i've checked with a few unofficial validators (<https://tweetpik.com/twitter-card-validator>, <https://www.bannerbear.com/tools/twitter-card-preview-tool/>) and they have no issues. but on twitter, our card looks like this: ![image](/uploads/89374a3a73809ab58e8e5a86ad018c6b/image.png)
i think the issue is the robots.txt file i added to logo, it disallows crawlers from checking the /static directory (containing our card image), and twitter respects robots.txtYear End Campaign 2022https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40115Scrub pt.Log calls like other logs2022-11-07T16:25:28ZDavid Fifielddcf@torproject.orgScrub pt.Log calls like other logs!67 added [`ptEventLogger`](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/bd636a1374efb514bbc40acbd1dcaf0ecec26916/client/lib/pt_event_logger.go) which sends messages to the managing process usin...!67 added [`ptEventLogger`](https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/blob/bd636a1374efb514bbc40acbd1dcaf0ecec26916/client/lib/pt_event_logger.go) which sends messages to the managing process using `pt.Log`. But these logs are not scrubbed of IP addresses the way all other logs are scrubbed (as in
#21304).
I saw this in the Tor Logs in Tor Browser:
```
3/17/22, 02:24:50.145 [NOTICE] Managed proxy "./TorBrowser/Tor/PluggableTransports/snowflake-client": offer created
3/17/22, 02:24:50.146 [NOTICE] Managed proxy "./TorBrowser/Tor/PluggableTransports/snowflake-client": broker failure dial tcp: lookup cdn.sstatic.net on 192.168.0.1:53: dial udp 192.168.0.1:53: connect: network is unreachable
```itchyonionitchyonionhttps://gitlab.torproject.org/tpo/core/tor/-/issues/40119Tor fails to build on Ubuntu Groovy Gorilla: -Wextra-semi only used for Obj-C...2022-11-03T19:44:58ZAlexander Færøyahf@torproject.orgTor fails to build on Ubuntu Groovy Gorilla: -Wextra-semi only used for Obj-C and C++@weasel reported the following error today on `#tor-dev`: https://jenkins.torproject.org/job/tor-ci-linux-master/4880/
The error seems to be:
cc1: error: command-line option '-Wextra-semi' is valid for C++/ObjC++ but not for C [-We...@weasel reported the following error today on `#tor-dev`: https://jenkins.torproject.org/job/tor-ci-linux-master/4880/
The error seems to be:
cc1: error: command-line option '-Wextra-semi' is valid for C++/ObjC++ but not for C [-Werror]
cc1: all warnings being treated as errors
As seen in: https://jenkins.torproject.org/job/tor-ci-linux-master/4880/ARCHITECTURE=amd64,SUITE=groovy/consoleText
We should probably disable `-Wextra-semi` as this seems to only apply for C++ and Objective C.Alexander Færøyahf@torproject.orgAlexander Færøyahf@torproject.orghttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/126Telegram distributor: give some guidance on how to use bridges2022-10-28T15:58:28Zmeskiomeskio@torproject.orgTelegram distributor: give some guidance on how to use bridgesProvide some information on how to use bridges when the bot hands bridges over telegram. For example the following text might work:
```
Here are your bridges:
obfs4 ...
obfs4 ...
If you are using Tor Browser:
1. Choose "☰ ▸ Settings ▸...Provide some information on how to use bridges when the bot hands bridges over telegram. For example the following text might work:
```
Here are your bridges:
obfs4 ...
obfs4 ...
If you are using Tor Browser:
1. Choose "☰ ▸ Settings ▸ Tor" to open your Tor settings.
2. In the "Bridges" section, enter your bridge in the "Provide a bridge" field.
If you don't have Tor Browser you can download it from https://torbrowser.org or if this website is blocked ask the gettor bot for it: @gettor_bot
```
The implementation of the distributor is here: https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/blob/main/pkg/presentation/distributors/telegram/telegram.gohttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40638Visit our website link after build-to-build upgrade in Nightly channel points...2022-10-27T22:48:08ZrichardVisit our website link after build-to-build upgrade in Nightly channel points to old v2 onionAfter upgrade nightly builds have the following copy on about:tor:
----
### Tor Browser has been updated.
For the most up-to-date information about this release, [visit our website](http://f4amtbsowhix7rrf.onion/).
----
We need to u...After upgrade nightly builds have the following copy on about:tor:
----
### Tor Browser has been updated.
For the most up-to-date information about this release, [visit our website](http://f4amtbsowhix7rrf.onion/).
----
We need to upgrade this to the new v3 onionSponsor 131 - Phase 3 - Major ESR 102 MigrationPier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40491Don't auto-pick a v2 address when it's in Onion-Location header2022-10-26T09:10:14ZRoger DingledineDon't auto-pick a v2 address when it's in Onion-Location headerAs suggested by the discussion with @pastly on #tor just now:
In the upcoming Tor Browser, we aren't able to load v2 onion addresses anymore. But if you clicked "always redirect me" on the Onion-Location handler, then the browser automa...As suggested by the discussion with @pastly on #tor just now:
In the upcoming Tor Browser, we aren't able to load v2 onion addresses anymore. But if you clicked "always redirect me" on the Onion-Location handler, then the browser automatically slams you into the ground whenever you visit a site that tells you a v2 address in its Onion-Location header.
Maybe that means we should decline to auto-follow v2 addresses?Pier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/core/tor/-/issues/17343Add torrc option OnionService* alias for HiddenService*2022-10-20T22:33:53ZDavid Gouletdgoulet@torproject.orgAdd torrc option OnionService* alias for HiddenService*Since the rebranding of Hidden Service to "Onion Service" is now a thing, it would make sense to add aliases for every hidden service torrc option to be changed to use "OnionService" instead. Here are the options I can find in tor man pa...Since the rebranding of Hidden Service to "Onion Service" is now a thing, it would make sense to add aliases for every hidden service torrc option to be changed to use "OnionService" instead. Here are the options I can find in tor man page:
```
HidServAuth --> OnionServiceAuth
HidServDirectoryV2 --> OnionServiceDirectoryV2
MinUptimeHidServDirectoryV2 --> MinUptimeOnionServiceDirectoryV2
VoteOnHidServDirectoriesV2 --> VoteOnOnionServiceDirectoriesV2
PublishHidServDescriptors --> PublishOnionServiceDescriptors
FetchHidServDescriptors --> FetchOnionServiceDescriptors
HiddenService* --> OnionService*
```
Just to be clear, it's NOT a renaming but we add an alias for the current options so both live together.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/41104Visit our website link after build-to-build upgrade in Nightly channel points...2022-10-18T12:22:22ZrichardVisit our website link after build-to-build upgrade in Nightly channel points to old v2 onionAfter upgrade nightly builds have the following copy on about:tor:
----
### Tor Browser has been updated.
For the most up-to-date information about this release, [visit our website](http://f4amtbsowhix7rrf.onion/).
----
We need to u...After upgrade nightly builds have the following copy on about:tor:
----
### Tor Browser has been updated.
For the most up-to-date information about this release, [visit our website](http://f4amtbsowhix7rrf.onion/).
----
We need to upgrade this to the new v3 onionSponsor 131 - Phase 3 - Major ESR 102 MigrationPier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40465Onion Authentication fails when connecting to a subdomain2022-10-12T23:23:27ZcypherpunksOnion Authentication fails when connecting to a subdomainSpecs (shouldn't be very important other than the version):
Tor Browser 10.0.17
Safer Setting
Linux X11
Steps to reproduce:
1. Obtain a service descriptor for an authenticating onion service.
1. Open Tor Browser or click New Identit...Specs (shouldn't be very important other than the version):
Tor Browser 10.0.17
Safer Setting
Linux X11
Steps to reproduce:
1. Obtain a service descriptor for an authenticating onion service.
1. Open Tor Browser or click New Identity.
1. Check that the key to the onion service has not been saved (about:preferences#privacy -> Onion Services Authentication -> Saved Keys...).
1. Go to `subdomain.[service descriptor].onion`.
1. Enter the correct authentication key.
What happens:
Tor Browser does not accept the key and an error message pops up: Invalid v3 address "subdomain.[service descriptor]"
What should happen:
Tor Browser authenticates normally with the onion service.
Extra notes:
This does not happen if the user has visited `[service descriptor].onion` and successfully authenticated *before* visiting `subdomain.[service descriptor].onion`, all in the same session. The problem might be with the authentication dialog.Sponsor 131 - Phase 5 - Ongoing Maintenancerichardrichardhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40585Prune the manual more2022-10-12T18:31:41ZPier Angelo VendramePrune the manual moreWe have had an increase in TBB size, and it's partly due to the manual.
We should remove webfonts because they are not even rendered (7.9MB uncompressed), there are not minimized JS and CSS, and we should see if we can remove some image...We have had an increase in TBB size, and it's partly due to the manual.
We should remove webfonts because they are not even rendered (7.9MB uncompressed), there are not minimized JS and CSS, and we should see if we can remove some images.
We can remove what we don't need with the script that packs the manual (it just copies the static files).Sponsor 131 - Phase 3 - Major ESR 102 MigrationPier Angelo VendramePier Angelo Vendramehttps://gitlab.torproject.org/tpo/core/tor/-/issues/6777add config option to not rate limit authority dir conns2022-10-11T23:41:01ZRoger Dingledineadd config option to not rate limit authority dir connsDuring today's consensus fiasco, several authorities were hitting their configured bandwidth rates. In moria1's case, we were using the default 5MB/10MB, and we were basically sustaining 5MB/s of directory output for 6+ hours. Most thing...During today's consensus fiasco, several authorities were hitting their configured bandwidth rates. In moria1's case, we were using the default 5MB/10MB, and we were basically sustaining 5MB/s of directory output for 6+ hours. Most things weren't finishing getting written -- including votes.
weasel suggested a feature where we allow dir conns to/from authorities to go above our bandwidth limits.
I was thinking we would implement it just by making connection_is_rate_limited() say "no" for them.
but weasel suggested that we count the bytes, and reduce them from our totals, but not limit the conns. That sounds worthwhile but more complex.
On the theory that we want this hack in rather than waiting forever for the elegant solution, I convinced weasel that he should be ok with the simpler approach.
Heck, maybe rather than making it a config option, we should just make it standard behavior for authorities.Tor: unspecifiedhttps://gitlab.torproject.org/tpo/core/tor/-/issues/17806Make onion queues rational, combine with workqueue logic.2022-10-11T23:40:46ZNick MathewsonMake onion queues rational, combine with workqueue logic.Right now we have two queues for onions: one before we hand things over to the workqueue, and the workqueue itself.
Soon we'll have a client-side queue for onions, plus the workqueue. (legacy/trac#13737)
Having these extra queues is mi...Right now we have two queues for onions: one before we hand things over to the workqueue, and the workqueue itself.
Soon we'll have a client-side queue for onions, plus the workqueue. (legacy/trac#13737)
Having these extra queues is mildly helpful, since it lets us implement queueing rules more complicated than "first in first out", but it makes our code more complex. Perhaps we should abstract the priority rules and make the workqueue code the only queue we need to care about.https://gitlab.torproject.org/tpo/core/tor/-/issues/13737Move circuit building crypto to worker2022-10-11T23:40:44ZDavid Gouletdgoulet@torproject.orgMove circuit building crypto to workerMake worker able to handle circuit building crypto.Make worker able to handle circuit building crypto.https://gitlab.torproject.org/tpo/core/tor/-/issues/9390Warn if you're being a public relay but have too-low file descriptor limit2022-10-11T23:40:44ZRoger DingledineWarn if you're being a public relay but have too-low file descriptor limitInspired by discussion on legacy/trac#3030: if we're a public relay, we should check if ulimit -n is too low (under 8192 I'm thinking, based on debian's init script), and warn (and recommend using a package) if so.
This is to help peopl...Inspired by discussion on legacy/trac#3030: if we're a public relay, we should check if ulimit -n is too low (under 8192 I'm thinking, based on debian's init script), and warn (and recommend using a package) if so.
This is to help people who run Tor from tarball and don't realize all the fixes you have to do manually to do it right.