The Tor Project issueshttps://gitlab.torproject.org/groups/tpo/-/issues2023-01-05T12:42:49Zhttps://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/25863Check where the -mwindows flag is needed2023-01-05T12:42:49ZboklmCheck where the -mwindows flag is neededCurrently we are setting the `-mwindows` flag by default in `CFLAGS` and `LDFLAGS` defined in `rbm.conf`, which are currently used (through `var/configure_opt`) in tor, gmp, libevent and go.
We should check where this flag is really nee...Currently we are setting the `-mwindows` flag by default in `CFLAGS` and `LDFLAGS` defined in `rbm.conf`, which are currently used (through `var/configure_opt`) in tor, gmp, libevent and go.
We should check where this flag is really needed, and only set it there.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/issues/118support multiple moat-shim tokens2022-12-16T12:05:21Zmeskiomeskio@torproject.orgsupport multiple moat-shim tokensRight now moat has a configuration field for a [shim_token](https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/blob/main/conf/config.json#L99) used to authenticate connections coming from the domain fronting so we provide differen...Right now moat has a configuration field for a [shim_token](https://gitlab.torproject.org/tpo/anti-censorship/rdsys/-/blob/main/conf/config.json#L99) used to authenticate connections coming from the domain fronting so we provide different bridges if is from domain fronting or from the open internet. Let's provide a list of shim-tokens so all of them are used to authenticate and provide the same kind of bridges if a valid token is provided, so other clients can have their own token.Sponsor 96: Rapid Expansion of Access to the Uncensored Internet through Tor in China, Hong Kong, & Tibetmeskiomeskio@torproject.orgmeskiomeskio@torproject.orghttps://gitlab.torproject.org/tpo/core/tor/-/issues/40613Remove socket_failed_from_resource_exhaustion heuristic2022-12-12T20:12:55ZAlex XuRemove socket_failed_from_resource_exhaustion heuristicsocket_failed_from_resource_exhaustion says:
```
/**
* A socket failed from resource exhaustion.
*
* Among other actions, warn that an accept or a connect has failed because
* we're running out of TCP sockets we can use on current s...socket_failed_from_resource_exhaustion says:
```
/**
* A socket failed from resource exhaustion.
*
* Among other actions, warn that an accept or a connect has failed because
* we're running out of TCP sockets we can use on current system. Rate-limit
* these warnings so that we don't spam the log. */
static void
socket_failed_from_resource_exhaustion(void)
{
/* When we get to this point we know that a socket could not be
* established. However the kernel does not let us know whether the reason is
* because we ran out of TCP source ports, or because we exhausted all the
* FDs on this system, or for any other reason.
*
* For this reason, we are going to use the following heuristic: If our
* system supports a lot of sockets, we will assume that it's a problem of
* TCP port exhaustion. Otherwise, if our system does not support many
* sockets, we will assume that this is because of file descriptor
* exhaustion.
*/
```
The first part of the second comment is wrong for two reasons:
1. the kernel returns EADDRINUSE if TCP ports were exhausted, EMFILE if the process reached its FD limit, and ENFILE if the system reached its FD limit; and
2. we know in advance which failure condition could apply based on the system call: socket and accept can't fail due to lack of TCP ports, and bind and connect can't fail due to lack of FDs. actually, socket_failed_from_resource_exhaustion isn't even called when bind or connect fails anyways, so it's not currently possible for it to fail due to lack of TCP ports. The second part of the first comment is misleading: socket_failed_from_resource_exhaustion is not called when connect fails, it is called when connection_connect_sockaddr fails due to socket failing. This is probably fine anyways though: if connect fails due to EADDRINUSE, then it is because thousands of connections have been made to the same destination, which is not a relay overload.
Therefore, as far as I can tell, the heuristic is not necessary and should be replaced with either or both of the preceding rules.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/20378Text-to-speech doesn't work in TBB since El Capitan2022-12-09T11:56:59ZJens KubiezielText-to-speech doesn't work in TBB since El CapitanAt [Tor.SE](https://tor.stackexchange.com) there is a [question regarding text-to-speech and Tor Browser](https://tor.stackexchange.com/q/12915/88). The user is dyslexic and recently upgraded to El Capitan (10.11.6). Since then the text-...At [Tor.SE](https://tor.stackexchange.com) there is a [question regarding text-to-speech and Tor Browser](https://tor.stackexchange.com/q/12915/88). The user is dyslexic and recently upgraded to El Capitan (10.11.6). Since then the text-to-speech software stopped working with TBB. The software reads the entire webpage instead of the text the user had selected. It worked in previous version of Moc OS X and it also does work in Firefox and Safari. So it seems to be a TBB related bug.
Do you need more information? Can you help to fix this bug?Sponsor 131 - Phase 2 - Privacy Browserhenryhenryhttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40437Allow users to backup bookmarks with adb2022-12-08T15:15:30ZAntonelaantonela@torproject.orgAllow users to backup bookmarks with adbfrom tor-ux:
macaroni:
hey all
you know we can't export the bookmarks on Tor Browser Android
and i thought if we can backup the app with adb
then we can backup also the bookmarks
i can backup some apps with adb because they have ALLOW_...from tor-ux:
macaroni:
hey all
you know we can't export the bookmarks on Tor Browser Android
and i thought if we can backup the app with adb
then we can backup also the bookmarks
i can backup some apps with adb because they have ALLOW_BACKUP flag
but i can't backup TBA with adb
if you can do this all users can backup the app including the bookmarks
thanks!https://gitlab.torproject.org/tpo/applications/tor-browser-build/-/issues/40186noto-fonts Git repo is excessively large2022-12-08T15:15:28ZJeremyRandnoto-fonts Git repo is excessively largeThe `noto-fonts` Git repo (cloned as part of the `fonts` project) uses over 6 GiB of storage, even though downloading a `.zip` archive from GitHub of the tree at that commit hash results in an archive that uses less than 40 MiB when deco...The `noto-fonts` Git repo (cloned as part of the `fonts` project) uses over 6 GiB of storage, even though downloading a `.zip` archive from GitHub of the tree at that commit hash results in an archive that uses less than 40 MiB when decompressed. Is there any reason that it's downloaded via Git rather than a standard HTTPS archive download? The excessively large size is a significant barrier to some users with limited storage capacity and/or network bandwidth.https://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/174Onion Service Dereferrer2022-12-08T13:19:28ZSilvio RhattoOnion Service DereferrerBuild a small self-contained Onion Service application that does HTTP Referrer removals (link redirection).
See background discussion and details at https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25484#note_2861382....Build a small self-contained Onion Service application that does HTTP Referrer removals (link redirection).
See background discussion and details at https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25484#note_2861382.
See documentation on best-practices for Onion Services at https://gitlab.torproject.org/tpo/onion-services/onion-support/-/issues/30.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/29705Enable Brotli compression for .onion domains2022-12-06T15:27:53ZTracEnable Brotli compression for .onion domainsTor Browser treats .onion as secure domains. Brotli compression is only enabled in Firefox on secure domains, but not for .onion domains.
Internally, Firefox controls these from the following settings:
network.http.accept-encoding
netwo...Tor Browser treats .onion as secure domains. Brotli compression is only enabled in Firefox on secure domains, but not for .onion domains.
Internally, Firefox controls these from the following settings:
network.http.accept-encoding
network.http.accept-encoding.secure
.onion is treated as the first instance (insecure) and only enable gzip and deflate. It should be handled as the second category and thus also enable Brotli compression.
Brotli compression will be beneficial to .onion service performance and reducing the data usage of Tor Browser.
PS: The requirement for Brotli to only be used on secure connections was a political decision by Google who wanted to use their new efficient compression method as a carrot to encourage HTTPS adoption.
**Trac**:
**Username**: expyuzz4wqqyqhjnhttps://gitlab.torproject.org/tpo/tpa/anon_ticket/-/issues/56Add tpo/anti-censorship/gettor-project/OnionSproutsBot to the list of projects2022-12-05T17:10:50Zn0tooseAdd tpo/anti-censorship/gettor-project/OnionSproutsBot to the list of projectsLink: https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBotLink: https://gitlab.torproject.org/tpo/anti-censorship/gettor-project/OnionSproutsBothttps://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40208"./proxy -h" does not show default value of a -capacity parameter2022-12-04T17:19:49Zslrslr"./proxy -h" does not show default value of a -capacity parameterHello at
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/proxy
"proxy -h"
Regarding “-capacity” parameter it would be handy to know what value is used when i do not use the -capacity switch.Hello at
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/tree/main/proxy
"proxy -h"
Regarding “-capacity” parameter it would be handy to know what value is used when i do not use the -capacity switch.https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40204pion errors don't go into the log2022-12-03T13:45:30ZRoger Dingledinepion errors don't go into the logMy snowflake proxy tells me, I guess on either stdout or stderr,
```
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0...My snowflake proxy tells me, I guess on either stdout or stderr,
```
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
sctp ERROR: 2022/10/03 13:47:32 [0xc002986380] stream 1 not found)
```
but I am using -log, and these lines don't show up in the log. It is unexpected that "error" category messages would be the ones that are transient and not captured for posterity.
(Also, the timestamps in the log seem to be utc, and the timestamps on my stdout/stderr appear to be local timezone. Not sure if that merits a separate ticket -- let me know if yes and I can open it.)Linus Nordberglinus@torproject.orgLinus Nordberglinus@torproject.orghttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/40943Disable bookmark backups2022-11-30T18:34:03ZcypherpunksDisable bookmark backupsTor browser shouldn't backup bookmarks at all and even when bookmarks are deleted, old backups remain in:
/Browser/TorBrowser/Data/Browser/profile.default/bookmarkbackupsTor browser shouldn't backup bookmarks at all and even when bookmarks are deleted, old backups remain in:
/Browser/TorBrowser/Data/Browser/profile.default/bookmarkbackupshttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/34370Improve identity doorhanger message during failed onion authentication2022-11-30T16:59:26ZAntonelaantonela@torproject.orgImprove identity doorhanger message during failed onion authenticationWhen you visit an onion site that requires authentication and you click cancel, then you click the circled-i button to the left of the URL, it says connection is not secure.
But there is no connection, and any handshake-type stuff that ...When you visit an onion site that requires authentication and you click cancel, then you click the circled-i button to the left of the URL, it says connection is not secure.
But there is no connection, and any handshake-type stuff that happens is all secure, right? Maybe it's not an issue but I thought I'd just bring it up.
via https://blog.torproject.org/comment/288072#comment-288072https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/22584More RWX memory pages for TBB on some Windows versions2022-11-30T16:58:09ZArthur EdelsteinMore RWX memory pages for TBB on some Windows versionsA cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:
* ticket:21617#comment:4
* ticket:21617#comment:7
* ticket:21617#comment:14A cypherpunk has reported some RWX memory pages were observed for Tor Browser on Windows 7 and Windows 10. See:
* ticket:21617#comment:4
* ticket:21617#comment:7
* ticket:21617#comment:14Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/web/support/-/issues/280Discourage more running a browser in parallel to Tor Browser2022-11-30T16:52:28ZGeorg KoppenDiscourage more running a browser in parallel to Tor BrowserWe have https://support.torproject.org/tbb/tbb-17/ for answering the question about whether it is safe to running a different browser in parallel to Tor Browser.
It's correct that *Tor Browser's* privacy features are unaffected by that ...We have https://support.torproject.org/tbb/tbb-17/ for answering the question about whether it is safe to running a different browser in parallel to Tor Browser.
It's correct that *Tor Browser's* privacy features are unaffected by that but we should stress more the risk of linking both browsing activities.
Maybe something like
```
If you run Tor Browser and another browser at the same time, it won't affect Tor's performance or privacy properties. However, be aware that when using Tor and another browser at the same time, your Tor activity could be linked to your non-Tor (real) IP from the other browser, simply by moving your mouse from one browser into the other. Or you may imply forget and accidentally use that non-private browser to do something that you intended to do in Tor Browser instead.
```
Thanks to `ForMariosTheHacker` at h1 to point that out.GusGushttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/26557Regression in keyboard fingerprinting2022-11-30T16:51:48ZTracRegression in keyboard fingerprintingI just compared fingerprinting protection between 8.0a8 and 8.0a9. There appears to be a regression when it comes to key combination with AtlGraph.
My system:
OS: Whonix 14 (Debian stretch) on Qubes OS 4.0
Keyboard layout: Neo (https:/...I just compared fingerprinting protection between 8.0a8 and 8.0a9. There appears to be a regression when it comes to key combination with AtlGraph.
My system:
OS: Whonix 14 (Debian stretch) on Qubes OS 4.0
Keyboard layout: Neo (https://neo-layout.org/index_en.html)
For testing I used https://arthuredelstein.github.io/tordemos/keyboard.html.
There are several keys that have regressed:
== Numbers
When typing the number 0 using the key pad on layer 4 ('<' + space) I observe this differences:
8.0a8: code: Digit0, modifierState: empty
8.0a9: code: Space, modifierState: AltGraph
Similarly, other numbers, when typing using the number pad on layer 4, show the actual key that was pressed (KeyM, KeyJ, KeyU, …) instead of DigitX.
== Navigation Keys
Arrow up:
8.0a8: code: ArrowUp, modifierState: empty
8.0a9: code: ArrowUp, modifierState: AltGraph
The modifier leaks with many of the keys on layer 4. Including, all arrow keys, escape, home, end, delete, back and comma. Interestingly, period and colon don't leak the modifier.
I also noticed that colon is recognized as semicolon (on all layers) but that's also the case in older Tor Browser version.
**Trac**:
**Username**: pegehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/23263Rip out startup GfxSanityTest entirely2022-11-30T16:50:26ZcypherpunksRip out startup GfxSanityTest entirelyMozilla understood it's a Windows-only "feature" in FF54 https://bugzilla.mozilla.org/show_bug.cgi?id=1339432, but Tor Browser doesn't need that trash.Mozilla understood it's a Windows-only "feature" in FF54 https://bugzilla.mozilla.org/show_bug.cgi?id=1339432, but Tor Browser doesn't need that trash.Sponsor 131 - Phase 5 - Ongoing Maintenancehttps://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/18813Tor Browser breaks rendering of fonts in applications launched from Tor Browser2022-11-30T16:47:36ZadrelanosTor Browser breaks rendering of fonts in applications launched from Tor BrowserTor Browser adds few additional environment variables which breaks `kdialog` and likely other applications also:
```
FONTCONFIG_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig
LD_LIBRARY_PATH=/home/user/tor-browser_...Tor Browser adds few additional environment variables which breaks `kdialog` and likely other applications also:
```
FONTCONFIG_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Data/fontconfig
LD_LIBRARY_PATH=/home/user/tor-browser_en-US/Browser/TorBrowser/Tor/
```
screenshot:
https://i.imgur.com/1ItY3jR.png
([This issue was originally reported against QubesOS.](https://github.com/QubesOS/qubes-issues/issues/1892))
Perhaps do not modify environment variables for applications launched from Tor Browser?https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/4763TorBrowser remembers location of last locally-opened file: "File > Open File ...2022-11-30T16:45:12ZcypherpunksTorBrowser remembers location of last locally-opened file: "File > Open File ..."This seems like less-than-ideal behavior.
Ex., TBB is used as the local Tor, Vidalia and browser by Alice, on her computer. However, Bob also has access to Alice's computer because they live together. Alice was looking at a local file ...This seems like less-than-ideal behavior.
Ex., TBB is used as the local Tor, Vidalia and browser by Alice, on her computer. However, Bob also has access to Alice's computer because they live together. Alice was looking at a local file she doesn't want Bob to see, but Bob does see the file when he too uses TBB as the local Tor, Vidalia and browser. Of course, Bob found the local file by mistake when he was trying to open a different local file.https://gitlab.torproject.org/tpo/applications/tor-browser/-/issues/25872When Clicking more information when visiting a V3 onion some of the buttons a...2022-11-30T16:39:10ZTracWhen Clicking more information when visiting a V3 onion some of the buttons are cut offWhen Clicking more information when visiting a V3 onion some of the buttons are cut off.
1. go to http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
2. click the "!" next to the URL and click ">" then click more inform...When Clicking more information when visiting a V3 onion some of the buttons are cut off.
1. go to http://sik5nlgfc5qylnnsr57qrbm64zbdx6t4lreyhpon3ychmxmiem7tioad.onion
2. click the "!" next to the URL and click ">" then click more information.
3.The "View cookies" and "View saved passwords" buttons are cut off.
I attached a photo showing the buttons cut off.
Tor Browser 7.5.3
**Trac**:
**Username**: Dbryrtfbcbhgf